CVE-2023-29839 PoC — Hotel Druid 跨站脚本漏洞

Source

https://github.com/jichngan/CVE-2023-29839

Associated Vulnerability

Title:Hotel Druid 跨站脚本漏洞 (CVE-2023-29839)
Description:Hotel Druid是由DigitalDruid.Net 开发的用于酒店管理的开源程序。 Hotel Druid 3.0.4版本存在安全漏洞，该漏洞源于存在存储型跨站脚本(XSS)漏洞，允许执行任意命令。

Description

Hotel Druid 3.0.4 Stored Cross Site Scripting Vulnerability

Readme

# CVE-2023-29839 Hotel Druid 3.0.4 Stored Cross Site Scripting Vulnerability
CMS Link: https://www.hoteldruid.com/

Version Affected: 3.0.4

Severity & CVSS: 5.4 (Medium) | Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 

A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages in Version 3.0.4 of the Hotel Druid application that allows for arbitrary execution of commands. 

Vulnerable Fields: Surname, Name, Nickname in the "Document" function

Affected Links: `/visualizza_contratto.php`

Triggering the payload: Visit the **Example** document preview function

Remediation: Update to HotelDruid version 3.0.5

Steps to Reproduce: 
1. Enter a XSS payload into a client's name. This can be done during room reservation or a brand new registration of a client. The payload used is `<script>alert(document.domain)</script>`

<img width="1438" alt="client_payload" src="https://user-images.githubusercontent.com/34933203/235818739-9a71fc4c-c0c4-4646-9772-42346b953bb9.png">

2. Navigate to "Clients" tab and select the client with the XSS payload by clicking on the "N" column
3. In this page, there are 2 ways to trigger the stored XSS payload. The first is by viewing the **Example** document in the top right hand corner of the page

<img width="1434" alt="Screenshot 2023-03-10 at 2 08 13 PM" src="https://user-images.githubusercontent.com/34933203/235818836-7d4e8c89-8193-4a47-b14e-21d45f735061.png">

<img width="1438" alt="Screenshot 2023-03-10 at 2 08 49 PM" src="https://user-images.githubusercontent.com/34933203/235818870-1b7305da-bd6d-4387-b021-62076668de83.png">

4. The second way to trigger the XSS payload is to navigate to the bottom of the page where you can modify the client's data
5. Once again, select the **Example** document and click on "View"

<img width="1433" alt="Screenshot 2023-03-10 at 2 10 13 PM" src="https://user-images.githubusercontent.com/34933203/235818954-e53d0088-cf7c-4140-8c4c-f8051b7dac23.png">

<img width="1438" alt="Screenshot 2023-03-10 at 2 08 49 PM" src="https://user-images.githubusercontent.com/34933203/235818973-12fba289-ee66-4e9b-88fc-18eff5bd53ad.png">

6. There are also other methods to trigger the XSS payload. By navigating to "Reservations" and modifying the client's reservation

<img width="1435" alt="Screenshot 2023-03-10 at 2 17 48 PM" src="https://user-images.githubusercontent.com/34933203/235819057-cc36c598-6bc4-4f1b-afdf-1d8e151ace02.png">

7. Scroll to the bottom of the page and once again select the **Example** document and click on "View"

<img width="1434" alt="Screenshot 2023-03-10 at 2 18 12 PM" src="https://user-images.githubusercontent.com/34933203/235819092-b0d2b0d9-2494-4c57-afe6-2afaefeaa6be.png">

<img width="1438" alt="Screenshot 2023-03-10 at 2 08 49 PM" src="https://user-images.githubusercontent.com/34933203/235819105-b7c8cfec-833e-4a1b-941f-dd7d092f800f.png">

File Snapshot


 [4.0K]  /data/pocs/be3a961db84c0680b5bc73380cfee31cff848514
└── [2.8K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!