POC详情: 3891fb5de7eff7c396dd457f49f4f5473748c623

来源
https://github.com/Agampreet-Singh/CVE-2024-25202
关联漏洞
标题: User Registration & Login and User Management System 安全漏洞 (CVE-2024-25202)
描述:User Registration & Login and User Management System是带有管理面板的用户管理系统。 PHPGurukul User Registration & Login and User Management System 1.0版本存在安全漏洞,攻击者可以通过搜索栏运行任意代码。
介绍
# CVE-2024-25202
A vulnerability was found in PHPgurukul visitor management system 1.0. it has been rated as problemic. Affected by the issue is some unknown functionality of the file search bar that called search-result.php and search-visitor.php . The vulnerability is Cross-Site-Scripting (XSS).
# Usage
One more Vulnerablity findings in PHPGURUKUL the name is Sql injection in Authentication Session.

Login

After login the account or bypass authentication through Sql injection then we need to go Search management in the top right side.

Payload

'"><svg/onload=confirm(/xsss/)>

![image](https://github.com/Agampreet-Singh/CVE-2024-25202/assets/73707055/71267e4b-1a5b-41f5-b847-5124b1f03732)



As You see i will search the code in Search Session.

![image](https://github.com/Agampreet-Singh/CVE-2024-25202/assets/73707055/6cf103ff-c91f-4a2d-b38b-1458525ea6de)

Xss Popup

According to the Scenario XSS vulnerability is valid in search-visitor or search-bar.php

# PoC (Proof Of Concept) Video Tutorial 
https://github.com/Agampreet-Singh/CVE-2024-25202/assets/73707055/7479c8cf-b6b7-4659-9be9-beb9bdb2153b
文件快照

 [4.0K]  /data/pocs/3891fb5de7eff7c396dd457f49f4f5473748c623
├── [447K]  CVE-2024-25202.mp4
├── [ 65K]  CVE-2024-25202.png
├── [  31]  payload.txt
├── [1.1K]  README.md
└── [ 30K]  xss response.png

0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。