Skip to content

leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 

Repository files navigation

CVE-2023-33817 - SQL Injection found in HotelDruid V3.0.5

HotelDruid v3.0.5 are vulnerable to SQL injection. An attacker could issue arbitrary sql command to retrieve data in databases or even execute remote code execution on target database system

This is my second repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowx any authenticated user such as admin or any user to inject malicious sql command into affected parameter to retrieve data in databases or even execute code execution on target system. Below are the steps to reproduce and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php Affected Parameter&Component :

inizioperiodo1 fineperiodo1 inizioperiodo2 fineperiodo2 inizioperiodo3 fineperiodo3 inizioperiodo4 &fineperiodo4 inizioperiodo5 fineperiodo5 inizioperiodo6 fineperiodo6 inizioperiodo7 fineperiodo7

Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI

sql main page

Step 2 : Intercept with BurpSuite, and insert some basic payload like " '%2b(select*from(select(sleep(5)))a)%2b' " and monitor the response. the sceenshot below shows the server have returns the response after 5 seconds , it seems we can move abit deeper :-) .

creaprezzi_php SQL_sleeppng

Step 3 : what if we save this into a burp file and pass it to sqlmap? The screenahot below shows the result of sqkmap.

sqlmap_result

Step 4 : We can expand abit more with below sqlmap command, i choose sql-shell . The screenshot below shown we can even execute sql command by abusing the vulnerable parameter.

sqlmap_sql_shell

Ps : Above steps is just POC for vendor, actually i have climb from sql-shell to fully OS command shell, but this may need more and more steps and technique involved and i think this is beyond what CVE request us to demo .

Screenshot below show the version of HotelDruid

Version_HotelDruid_3 0 5

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published