| タイトル | code-projects.org Hotel and Tourism Reservation In PHP 1.0 SQL Injection |
|---|
| 説明 | A vulnerability was found in Hotel and Tourism Reservation In PHP 1.0 on code-projects.org. The affected file is /ht/admin/add_room.php of the component Room Management Page. The manipulation of the GET parameter 'delete_image' with a crafted payload leads to SQL Injection (Time-based Blind).
Payload used:
150'XOR(15*if(now()=sysdate(),sleep(6),0))XOR'Z
Additional vulnerable parameters: GET 'edit', POST 'description', 'number', 'price', 'rooms', 'type'.
The application directly concatenates user input into backend SQL queries without sanitization or parameterized queries. The attack can be initiated remotely without authentication.
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 7.5 (High)
Vendor was contacted on 2026-06-06 via email. No response received.
Advisory: https://medium.com/@avdzav10/sql-injection-in-hotel-and-tourism-reservation-system-php-1-0-admin-add-room-php-25149909c16a
Product: https://code-projects.org/hotel-and-tourism-reservation-in-php-with-source-code/ |
|---|
| ソース | ⚠️ https://medium.com/@avdzav10/sql-injection-in-hotel-and-tourism-reservation-system-php-1-0-admin-add-room-php-25149909c16a |
|---|
| ユーザー | anubhav106 (UID 98769) |
|---|
| 送信 | 2026年06月06日 06:28 (29 日 ago) |
|---|
| モデレーション | 2026年07月04日 17:56 (28 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 376343 [code-projects Hotel and Tourism Reservation 1.0 /admin/add_room.php SQLインジェクション] |
|---|
| ポイント | 20 |
|---|