CVE-2008-5874

Hotel Booking Reservation System - Joomla! SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2008-5874. PoCs published by EcHoLL, Hussin X.

AI-analyzed exploit summary This Perl script exploits a SQL injection vulnerability in the Joomla com_5starhotels component to extract admin credentials (username and password hash) from the jos_users table. It uses a UNION-based SQLi attack via the 'id' parameter in the showhoteldetails task.

Description

Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS) for Joomla! allow remote attackers to execute arbitrary SQL commands via the id parameter in a showhoteldetails action to index.php in the (1) com_allhotels or (2) com_5starhotels module. NOTE: some of these details are obtained from third party information.

Exploits (3)

exploitdb WORKING POC VERIFIED
by EcHoLL · perlwebappsphp
https://www.exploit-db.com/exploits/7575

This Perl script exploits a SQL injection vulnerability in the Joomla com_5starhotels component to extract admin credentials (username and password hash) from the jos_users table. It uses a UNION-based SQLi attack via the 'id' parameter in the showhoteldetails task.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Joomla with com_5starhotels component
No auth needed
Prerequisites: Target must have the vulnerable com_5starhotels component installed · Target must be running a vulnerable version of Joomla
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Hussin X · textwebappsphp
https://www.exploit-db.com/exploits/7568

This is a writeup describing a blind SQL injection vulnerability in the Joomla component com_allhotels. It provides example URLs demonstrating the vulnerability but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: Joomla com_allhotels component
No auth needed
Prerequisites: Access to the vulnerable Joomla component via URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/7567

This exploit demonstrates a blind SQL injection vulnerability in the Joomla component com_lowcosthotels. The vulnerability allows an attacker to inject malicious SQL queries via the 'id' parameter, enabling information disclosure such as database version extraction.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Joomla com_lowcosthotels component
No auth needed
Prerequisites: Access to the vulnerable Joomla component endpoint
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32952
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7575
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7568

Scores

EPSS 0.0097
EPSS Percentile 57.4%

Details

CWE
CWE-89
Status published
Products (3)
joomlahbs/com_5starhotels _nil_
joomlahbs/com_allhotels _nil_
joomlahbs/hotel_booking_reservation_system _nil_
Published Jan 08, 2009
Tracked Since Feb 18, 2026