0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
COVID19 Testing Management System 1.0 - (Admin name) Cross-Site Scripting Vulnerability
[# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS) # Exploit Author: Rohit Burke # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 ==> Stored Cross-Site Scripting XSS: An attacker uses Stored XSS to inject malicious content (referred to as the payload), most often JavaScript code, into the target application. If there is no input validation, this malicious code is permanently stored (persisted) by the target application, for example within a database. For example, an attacker may enter a malicious script into a user input field such as a blog comment field or in a forum post. When a victim opens the affected web page in a browser, the XSS attack payload is served to the victim’s browser as part of the HTML code (just like a legitimate comment would). This means that victims will end up executing the malicious script once the page is viewed in their browser. ==> Attack Vendor: This vulnerability can results attacker injecting the XSS payload in the Admin profile section and each time admin visits the all other sections of the application the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. ==> Vulnerable Parameters: "Admin name" parameter ==> Steps for reproduce: 1) Go to http://localhost/covid-tms/login.php and logged In as an Admin (#Username: admin #Password: Test@123). 2) Click on (Admin --> Profile). Enter the payload in Admin name = <script>alert(1337)</script> Click on submit. 3) Now, whichever section of the application admin visits the payload gets executed successfully. # 0day.today [2024-11-15] #