# Title: Helmet Store Showroom Site - XXE Injection
# Author: @Eawhitehat - Eren Arslan
# Demo available : https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html
# CVE: N/A
# XSS
# Screenshot :
https://prnt.sc/7Nh7gOjdnsyR
https://prnt.sc/LmOQKkZ6geJV
https://prnt.sc/ZgMTMWG3U4A1
Used Payload :
<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>
Demo Account:
Username: admin
Password: admin123
Method :
Connect to panel : http://localhost/admin
#Vulnerabîlity
1. After login, go to ../admin/?page=categories (Category List)
2. Add New Category and paste the payload in category name and description (for the fun)
3. Reload the Category List page and welcome your XXE Injection