# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS) # Date: 19/05/2021 # Exploit Author: Rohit Burke # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 ==> Stored Cross-Site Scripting XSS: An attacker uses Stored XSS to inject malicious content (referred to as the payload), most often JavaScript code, into the target application. If there is no input validation, this malicious code is permanently stored (persisted) by the target application, for example within a database. For example, an attacker may enter a malicious script into a user input field such as a blog comment field or in a forum post. When a victim opens the affected web page in a browser, the XSS attack payload is served to the victim’s browser as part of the HTML code (just like a legitimate comment would). This means that victims will end up executing the malicious script once the page is viewed in their browser. ==> Attack Vendor: This vulnerability can results attacker injecting the XSS payload in the Admin profile section and each time admin visits the all other sections of the application the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. ==> Vulnerable Parameters: "Admin name" parameter ==> Steps for reproduce: 1) Go to http://localhost/covid-tms/login.php and logged In as an Admin (#Username: admin #Password: Test@123). 2) Click on (Admin --> Profile). Enter the payload in Admin name = <script>alert(1337)</script> Click on submit. 3) Now, whichever section of the application admin visits the payload gets executed successfully.