uHotelBooking System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in uHotelBooking System, allowing unauthenticated attackers to manipulate database queries. The vulnerability arises from improper handling of the 'system_page' GET parameter in 'index.php', where attackers can inject SQL code. This flaw can be exploited using time-based blind SQL injection techniques to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for unauthorized database access and manipulation, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, send a crafted request to 'index.php' with a malicious 'system_page' value that includes SQL injection payloads. The injected SQL code can be designed to exploit the application's database query handling, such as by using time-based blind SQL injection techniques to extract data.