跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Class Scheduling System 1.0 - Multiple Stored XSS

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title:  Class Scheduling System 1.0 - Multiple Stored XSS
# Exploit Author: Aakash Madaan (Godsky)
# Date: 2020-12-22
# Vendor Homepage: https://www.sourcecodester.com/php/5175/class-scheduling-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5175&title=Class+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS

[+] Step 1. Login to the application with admin credentials

[+] Step 2.1(a). Click on "Department" page.  {Uri :http(s)://<host>/admin/department.php}
    Step 2.1(b). In the "Person Incharge" field, use XSS payload '"><script>alert("Department")</script>' as the name of new course and click on save.
                 [ Note : The XSS can also be triggered if we put the same payload in "Title" field ]
    Step 2.1(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Department", your XSS Payloads will be triggered.

[+] Step 2.2(a). Click on "Subject" page.  {Uri :http(s)://<host>/admin/subject.php}
    Step 2.2(b). In the "Subject Code" field, use XSS payload '"><script>alert("Subject")</script>' as the name of new course and click on save.
                 [ Note : The XSS can also be triggered if we put the same payload in "Title" field ]
    Step 2.2(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Subject", your XSS Payloads will be triggered.

[+] Step 2.3(a). Click on "Course" page.  {Uri :
http(s)://<host>/admin/course.php}
    Step 2.3(b). In the "Course Year" field, use XSS payload '"><script>alert("Course")</script>' as the name of new course and click on save.
                 [ Note : The XSS can also be triggered if we put the same payload in "Major" field ]
    Step 2.3(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Course", your XSS Payloads will be triggered.

[+] Step 2.3(a). Click on "Record" page.  {Uri :http(s)://<host>/admin/record.php}
    Step 2.3(b). In the "Name" field, use XSS payload '"><script>alert("Record")</script>' as the name of new course and click onsave.
                 [ Note : The XSS can also be triggered if we put the same payload in "Academic Rank" or "Designation" field ]
    Step 2.3(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Record", your XSS Payloads will be triggered.

[+] Step 3. This should trigger the XSS payload and anytime you click on respective pages, your stored XSS payload will be triggered.

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。