Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-46016 PoC — Code-Projects Blood Bank 安全漏洞

Source
https://github.com/ersinerenler/CVE-2023-46016-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability
Associated Vulnerability
Title:Code-Projects Blood Bank 安全漏洞 (CVE-2023-46016)
Description:Cross Site Scripting (XSS) in abs.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'search' parameter in the application URL.
Readme
# CVE-2023-46016-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability
+ Exploit Author: ersinerenler
# Vendor Homepage
+ https://code-projects.org/blood-bank-in-php-with-source-code
# Software Link
+ https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
# Overview
+ Code-Projects Blood Bank V1.0 is susceptible to a significant security vulnerability involving Reflected Cross-Site Scripting (XSS) through the 'search' parameter in the abs.php file. The application fails to adequately sanitize user-supplied data, making it prone to script injection attacks. An attacker can exploit this issue to execute arbitrary script code in the browser of unsuspecting users, potentially compromising their security and privacy within the affected site.
# Vulnerability Details
+ CVE ID: CVE-2023-46016
+ Affected Version: Blood Bank V1.0
+ Vulnerable File: /abs.php
+ Parameter Name: search
+ Attack Type: local
# References:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46016
+ https://nvd.nist.gov/vuln/detail/CVE-2023-46016
# Description
+ The 'search' parameter in the abs.php file of Code-Projects Blood Bank V1.0 is susceptible to Reflected Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into the 'search' parameter, which, when executed, could compromise the user's browser within the context of the affected site.
# Proof of Concept (PoC) : 
+ Payload: `%22%3E%3C/option%3E%20%3C/select%3E%3Cbr%3E%3Csvg/onload=alert(document.domain)%3E`
+ `http://localhost/bloodbank/abs.php?search=%22%3E%3C/option%3E%20%3C/select%3E%3Cbr%3E%3Csvg/onload=alert(document.domain)%3E`
<img width="1447" alt="image" src="https://github.com/ersinerenler/CVE-2023-46016-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability/assets/113091631/fc050e43-7043-4244-80d3-ece7e53dfc62">
File Snapshot

 [4.0K]  /data/pocs/ec1d7aeeb8a866b09ff1fd96369c35c3820bba26
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →