39 lines
No EOL
1.7 KiB
Text
39 lines
No EOL
1.7 KiB
Text
# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)
|
||
# Date: 19/05/2021
|
||
# Exploit Author: Rohit Burke
|
||
# Vendor Homepage: https://phpgurukul.com
|
||
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
|
||
# Version: 1.0
|
||
# Tested on: Windows 10
|
||
|
||
==> Stored Cross-Site Scripting XSS:
|
||
An attacker uses Stored XSS to inject malicious content (referred to as
|
||
the payload), most often JavaScript code, into the target application. If
|
||
there is no input validation, this malicious code is permanently stored
|
||
(persisted) by the target application, for example within a database. For
|
||
example, an attacker may enter a malicious script into a user input field
|
||
such as a blog comment field or in a forum post.
|
||
When a victim opens the affected web page in a browser, the XSS attack
|
||
payload is served to the victim’s browser as part of the HTML code (just
|
||
like a legitimate comment would). This means that victims will end up
|
||
executing the malicious script once the page is viewed in their browser.
|
||
|
||
==> Attack Vendor:
|
||
This vulnerability can results attacker injecting the XSS payload in the
|
||
Admin profile section and each time admin visits the all other sections of
|
||
the application the XSS triggers and the attacker can able to steal the
|
||
cookie according to the crafted payload.
|
||
|
||
==> Vulnerable Parameters:
|
||
"Admin name" parameter
|
||
|
||
==> Steps for reproduce:
|
||
|
||
1) Go to http://localhost/covid-tms/login.php
|
||
and logged In as an Admin (#Username: admin #Password: Test@123).
|
||
|
||
2) Click on (Admin --> Profile). Enter the payload in
|
||
Admin name = <script>alert(1337)</script>
|
||
Click on submit.
|
||
|
||
3) Now, whichever section of the application admin visits the payload gets executed successfully. |