Headline
CVE-2023-33817: GitHub - leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5
hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.
CVE-2023-33817 - SQL-Injection-found-in-HotelDruid-3.0.5
HotelDruid v3.0.5 are vulnerable to SQL injection. An attacker could issue arbitrary sql command to retrieve data in databases or even execute remote code execution on target database system
This is my second repo. Don’t beat me if i didn’t explain well.
Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.
Description of vulnerability : We found that this web application allowed any authenticated user such as admin or any user to inject malicious sql command into affected parameter to retrieve data in databases or even execute code execution on target system. Below are the steps to reproduce and again, dont beat me if i didn’t explain well.
Affected Webpage : creaprezzi.php Affected Parameter&Component :
inizioperiodo1 fineperiodo1 inizioperiodo2 fineperiodo2 inizioperiodo3 fineperiodo3 inizioperiodo4 &fineperiodo4 inizioperiodo5 fineperiodo5 inizioperiodo6 fineperiodo6 inizioperiodo7 fineperiodo7
Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI
Step 2 : Intercept with BurpSuite, and insert some basic payload like " ‘%2b(select*from(select(sleep(10)))a)%2b’ " and monitor the response. the sceenshot below shows the server have returns the response after 10 seconds , it seems we can move abit deeper :-) .
Step 3 : what if we save this into a burp file and pass it to sqlmap? The screenahot below shows the result of sqkmap.
Step 4 : We can expand abit more with below sqlmap command, i choose sql-shell . The screenshot below shown we can even execute sql command by abusing the vulnerable parameter.
Ps : Above steps is just POC for vendor, actually i have climb from sql-shell to fully OS command shell, but this may need more and more steps and technique involved and i think this is beyond what CVE request us to demo .
Screenshot below show the version of HotelDruid