This CHT Posted November 4, 2022 Group: The leader of the Content Count: 4,798 Achievement Points: 31,702 With Us For: 243 Days Status: Offline Last Seen: May 19 Device: Windows Share Posted November 4, 2022 # Exploit Title: Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated) # Date: 04-05-2021 # Exploit Author: Reza Afsahi # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html # Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code # Version: 0.1 # Tested on: PHP 7.4.11 , Linux x64_x86 # --- Description --- # # The web application allows for an assisstant to inject persistent Cross-Site-Scripting payload which will be executed in both assistant and Super Admin panel # --- Proof of concept --- # 1- Login as Assistant and go to: http://localhost/code/Admin_Dashboard/Add_employee.php 2- Click on Add Employee button 3- Inject this payload into First Name input : <script>alert('xss')</script> 4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Save button. 5- refresh the page and Xss popup will be triggered. 6- Now if Super Admin visit this page in his/her Dashboard : http://localhost/code/Superadmin_Dashboard/Add_employee.php 7- Our Xss payload will be executed on Super Admin Browser ** Attacker can use this vulnerability to take over Super Admin account ** Link to comment Share on other sites More sharing options...
Recommended Posts