1d95e0bd8b
16 changes to exploits/shellcodes Nxlog Community Edition 2.10.2150 - DoS (Poc) Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated) Linksys RE6500 1.0.11.001 - Unauthenticated RCE Content Management System 1.0 - 'First Name' Stored XSS Content Management System 1.0 - 'email' SQL Injection Content Management System 1.0 - 'id' SQL Injection Medical Center Portal Management System 1.0 - 'id' SQL Injection Customer Support System 1.0 - _First Name_ & _Last Name_ Stored XSS Customer Support System 1.0 - 'id' SQL Injection Online Tours & Travels Management System 1.0 - _id_ SQL Injection Interview Management System 1.0 - Stored XSS in Add New Question Interview Management System 1.0 - 'id' SQL Injection Employee Record System 1.0 - Multiple Stored XSS PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting) Victor CMS 1.0 - Multiple SQL Injection (Authenticated)
18 lines
No EOL
980 B
Text
18 lines
No EOL
980 B
Text
# Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS
|
|
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
|
|
# Date: 2020-12-11
|
|
# Google Dork: N/A
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
|
|
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
|
|
# Affected Version: Version 1
|
|
# Tested on: Parrot OS
|
|
|
|
Step 1. Login to the application with any valid credentials
|
|
|
|
Step 2. Click on the username in header and select "Manage Account".
|
|
|
|
Step 3. On "Manage Account" page, insert "<script>alert("r0b0tG4nG")</script>" in both the "First Name" & "Last Name" fields.
|
|
|
|
Step 4. Complete the other required details and click on save to update user information.
|
|
|
|
Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered |