Share
# Exploit Title: Hospital Management System 4.0 Stored Cross-Site Scripting Vulnerability  
# Date: 2020-01-20  
# Exploit Author: Priyanka Samak  
# Vendor Homepage: https://phpgurukul.com/  
  
# Software Link : https://phpgurukul.com/hospital-management-system-in-php/  
  
# Software : Hospital Management System  
# Version : 4.0  
# Vulernability Type : Cross-site Scripting  
# Vulenrability : Stored XSS  
# Tested on: Windows 10  
  
# This application is vulnerable to Stored XSS vulnerability. This  
  
# Vulnerability exists in the DOCTOR Module of the application.  
  
# Vulnerable script: http://localhost/hospital/hms/doctor/add-patient.php  
  
# Vulnerable parameter: “Medical History” Input Field  
  
# Payload used: <script>alert(“YOU ARE FOOLED!!”)</script>  
# POC: http://localhost/hospital/hms/doctor/add-patient.php in this  
# URL you can add the patient information.  
# Enter your payload into the Medical History field. Click on  
# the Manage Patient page and View the information, you will see your Javascript code executes.  
  
  
Thanks,  
Priyanka Samak