Hotel reservation System (city.asp city) Blind SQL Injection Vulnerability
A Blind SQL Injection vulnerability exists in Hotel reservation System (city.asp city) which allows an attacker to execute arbitrary SQL commands on the underlying database. The vulnerability is due to the application not properly sanitizing user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. Depending on the database type, different injections can be used. For Microsoft Access 97, 2000, the attacker can use the functions max(1) and count(*) from MSysAccessObjects. For Microsoft Access 2003, 2007, the attacker can use the functions max(1) and count(*) from MSysAccessStorage. This can allow an attacker to gain access to sensitive information from the database.