CVE-2009-4386

Venalsur Booking Centre Booking System for Hotels Group - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4386. PoCs published by Salvatore Fresta.

AI-analyzed exploit summary The document describes a SQL injection vulnerability in B2D Booking Centre Systems, where unsanitized parameters allow attackers to inject malicious SQL queries. The provided example demonstrates a UNION-based SQLi to extract database version and user information.

Description

SQL injection vulnerability in hotel_tiempolibre_ext.php in Venalsur Booking Centre Booking System for Hotels Group, when magic_quotes_gpc is enabled, allows remote attackers to execute arbitrary SQL commands via the NoticiaID parameter and other unspecified vectors.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Salvatore Fresta · textwebappsphp
https://www.exploit-db.com/exploits/10393

The document describes a SQL injection vulnerability in B2D Booking Centre Systems, where unsanitized parameters allow attackers to inject malicious SQL queries. The provided example demonstrates a UNION-based SQLi to extract database version and user information.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: B2D Booking Centre Systems
No auth needed
Prerequisites: Magic Quotes GPC must be disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/10393
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32430
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508429/100/0/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3538

Scores

EPSS 0.0102
EPSS Percentile 59.0%

Details

CWE
CWE-89
Status published
Products (1)
bookingcentre/booking_system_for_hotels_group
Published Dec 22, 2009
Tracked Since Feb 18, 2026