/
CVE-6
33 lines (19 loc) · 979 Bytes
/
CVE-6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Exploit Title: Exam Form Submission In PHP With Source Code - XSS Cross Site Scripting
Vendor Homepage: https://code-projects.org/
Software Link: https://code-projects.org/exam-form-submission-in-php-with-source-code/
Tested On: Linux
Attack Type: Local
Use payload: <script>alert(123)</script>
Steps to Reproduce -
1. Visit https://localhost/EXAM_FORM_SUBMISSION/
2. Click on "Admin"
3. After clicking on "Admin" we'll redirect to URL: https://localhost/EXAM_FORM_SUBMISSION/admin/index.php
4. Fill Admin ID and Password "hodCSE@bmsce.ac.in" "hodcs"
5. Then we'll redirect to the URL: https://localhost/EXAM_FORM_SUBMISSION/admin/dashboard.php
6. Click on "2 Subject Listed for 1th sem"
7. Click on Update
8. Use this payload: <script>alert(123)</script>
9. Use XSS payload ( <script>alert(123)</script> ) put payload in "Subject Name" and "Subject Code" Section
10. Than Click on "Change Subject"
11. It reflected the value of 123.
Reference: CVE-2023-42307