Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-33817 PoC — HotelDruid SQL注入漏洞

Source
https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5
Associated Vulnerability
Title:HotelDruid SQL注入漏洞 (CVE-2023-33817)
Description:hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.
Readme
# CVE-2023-33817 - SQL Injection found in HotelDruid V3.0.5


HotelDruid v3.0.5 are vulnerable to SQL injection. An attacker could issue arbitrary sql command to retrieve data in databases or even execute remote code execution on target database system

This is my second repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowx any authenticated user such as admin or any user to inject malicious sql command into affected parameter to retrieve data in databases or even execute code execution on target system. Below are the steps to reproduce and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php
Affected Parameter&Component : 

inizioperiodo1
fineperiodo1
inizioperiodo2
fineperiodo2
inizioperiodo3
fineperiodo3
inizioperiodo4
&fineperiodo4
inizioperiodo5
fineperiodo5
inizioperiodo6
fineperiodo6
inizioperiodo7
fineperiodo7


Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI


![sql main page](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/a5d21686-05c6-46a8-afdc-f3ca864e99b7)

Step 2 : Intercept with BurpSuite, and insert some basic payload like " '%2b(select*from(select(sleep(5)))a)%2b' " and monitor the response. the sceenshot below shows the server have returns the response after 5 seconds , it seems we can move abit deeper :-) .

![creaprezzi_php SQL_sleeppng](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/4636acd4-c234-46ee-adc5-e5043a8caf77)

Step 3 : what if we save this into a burp file and pass it to sqlmap? The screenahot below shows the result of sqkmap.

![sqlmap_result](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/80322732-37cd-4aa6-8dc9-a7df62f9f8e6)

Step 4 : We can expand abit more with below sqlmap command, i choose sql-shell . The screenshot below shown we can even execute sql command by abusing the vulnerable parameter.

![sqlmap_sql_shell](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/7df82b64-3a66-4049-a08f-c50ec8f0e173)

Ps : Above steps is just POC for vendor, actually i have climb from sql-shell to fully OS command shell, but this may need more and more steps and technique involved and i think this is beyond what CVE request us to demo . 

Screenshot below show the version of HotelDruid

![Version_HotelDruid_3 0 5](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/17d64e76-9bac-4c1d-8bc7-d4b726532f68)
File Snapshot

 [4.0K]  /data/pocs/812df4e2c6bc37f3dd51fcb189d4bf34b5a54b8b
└── [2.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →