Online Hotel Booking System Pro 1.3 Cross Site Scripting

2020-04-04T00:00:00
ID PACKETSTORM:157117
Type packetstorm
Reporter thelastvvv
Modified 2020-04-04T00:00:00

Description

                                        
                                            `# Exploit Title: Online Hotel Booking System Pro v1.3 XSS Vulnerability  
# Google Dork:N/A  
# Date: 2020-04-04  
# Exploit Author: @ThelastVvV  
# Vendor Homepage: https://codecanyon.net/item/online-hotel-booking-system-pro/4606514  
# Version: 1.3  
# Tested on: 5.4.0-4parrot1-amd64  
  
---------------------------------------------------------  
  
  
Summary:  
  
Persistent Cross-site Scripting in Customer registration-form all-tags   
  
PoC 1:  
  
  
  
1- Go to the hotel booking page then choose new customor   
  
  
http://example/hotel-booking-pro/  
  
2- In "any " field of registration form type your payload :  
"><img src=x onerror=prompt(document.domain);>  
  
3-then hit CONTINUE  
  
  
4- Once the admin logs in and go to Customerlookup page ... the admin will be xssed   
  
http://example/hotel-booking-pro/cp/admin-home.php  
  
  
  
  
  
Impact:  
XSS can lead to adminstators/users's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical attacks on administrators directly.  
  
  
  
  
Screentshoots:  
  
https://i.imgur.com/RWArdAB.png  
  
`