header-logo
Suggest Exploit
vendor:
Online Birth Certificate System
by:
Subhadip Nag
8,8
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Online Birth Certificate System
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: NO
Related CWE: N/A
CPE: a:phpgurukul:online_birth_certificate_system:1.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Server: XAMPP
2021

Online Birth Certificate System 1.1 – ‘Multiple’ Stored Cross-Site Scripting (XSS)

Online Birth Certificate System 1.1 is vulnerable to stored cross site scripting (xss) in the registration form because of insufficient user supplied data. To exploit the vulnerability, an attacker can enter a malicious payload in the first name field of the registration form and click register. After successful registration, the attacker can login with the credentials and the XSS attack will be successful.

Mitigation:

Input validation should be done on the user supplied data to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS) 
# Date: 03 July 2021
# Exploit Author: Subhadip Nag
# Author Linkedin: www.linkedin.com/in/subhadip-nag-09/
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/
# Version: 1.1
# Tested on: Server: XAMPP

# Description #

Online Birth Certificate System 1.1 is vulnerable to stored cross site scripting (xss) in the registration form because of insufficient user supplied data.


# Proof of Concept (PoC) : Exploit #

1) Goto: http://localhost/OBCS/obcs/user/register.php
2) In the first name field, enter the payload: <script>alert(1)</script>
3) Click Register
4) Goto: http://localhost/OBCS/obcs/user/login.php
5) Enter your mobile number, password & click login
6) our XSS attack successfull

# PoC image
1) https://ibb.co/7C6g6nK

Navigation

Suggest Exploit

Services By CQR