toggle-mode

COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)

Rohit Burke

# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)
# Date: 19/05/2021
# Exploit Author: Rohit Burke
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10

==> Stored Cross-Site Scripting XSS:
An attacker uses Stored XSS to inject malicious content (referred to as
the payload), most often JavaScript code, into the target application. If
there is no input validation, this malicious code is permanently stored
(persisted) by the target application, for example within a database. For
example, an attacker may enter a malicious script into a user input field
such as a blog comment field or in a forum post.
When a victim opens the affected web page in a browser, the XSS attack
payload is served to the victim’s browser as part of the HTML code (just
like a legitimate comment would). This means that victims will end up
executing the malicious script once the page is viewed in their browser.

==> Attack Vendor:
This vulnerability can results attacker injecting the XSS payload in the
Admin profile section and each time admin visits the all other sections of
the application the XSS triggers and the attacker can able to steal the
cookie according to the crafted payload.

==> Vulnerable Parameters:
"Admin name" parameter

==> Steps for reproduce:

1) Go to http://localhost/covid-tms/login.php
and logged In as an Admin (#Username: admin #Password: Test@123).

2) Click on (Admin --> Profile). Enter the payload in
Admin name = <script>alert(1337)</script> 
Click on submit.

3) Now, whichever section of the application admin visits the payload gets executed successfully.

date: 2021-05-19, platform: webapps, type: php