# Exploit Title: Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS) # Date: 2021-09-08 # Exploit Author: Emre Aslan # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 11 - XAMPP Server # Vulnerable page: host/admin/* # Vulnerable Code:
Admin[PAYLOAD]
# Vulnerable Parameter: adminname[ POST Data ] # Tested Payload: # Proof Of Concept: # 1 - Login the dashboard # 2 - Go to /admin/admin-profile.php # 3 - set admin name with payload # 4 - xss fires