CVE-2008-3266

SoftAcid Hotel Reservation System Multi - SQL Injection via picture_pic_bv.asp key Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3266. PoCs published by Mr.SQL.

AI-analyzed exploit summary This exploit is a Perl script that performs a blind SQL injection attack against the 'picture_pic_bv.asp' endpoint in HRS software. It brute-forces the MD5 hash of the admin password by checking character-by-character using a time-based or boolean-based SQLi technique.

Description

SQL injection vulnerability in picture_pic_bv.asp in SoftAcid Hotel Reservation System (HRS) Multi allows remote attackers to execute arbitrary SQL commands via the key parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Mr.SQL · perlwebappsasp

https://www.exploit-db.com/exploits/6105

View Code ZIP pw:eip

This exploit is a Perl script that performs a blind SQL injection attack against the 'picture_pic_bv.asp' endpoint in HRS software. It brute-forces the MD5 hash of the admin password by checking character-by-character using a time-based or boolean-based SQLi technique.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: HRS (likely a version from 2008 or earlier)

No auth needed

Prerequisites: Target must have the vulnerable 'picture_pic_bv.asp' endpoint exposed · Target must be running a vulnerable version of HRS software

MITRE ATT&CK