PHPJabbers Car Rental Script 3.0 SQL Injection

PHPJabbers Car Rental Script version 3.0 suffers from a remote SQL injection vulnerability.

SHA-256 | da611ec0ad9f60f8789a0b37c087ba77ab18171db28eb201e5d8c4312ef65403

Download

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                  [ Vulnerability ]                                   ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                                                                    :
│  Website  : PHPJabbers.com                                                             │
│  Vendor   : PHPJabbers                                                                 │
│  Software : PHPJabbers Car Rental Script 3.0                                           │
│  Vuln Type: SQL Injection                                                              │
│  Impact   : Database Access                                                            │
│                                                                                        │
│────────────────────────────────────────────────────────────────────────────────────────│
│                                                                                       ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│ Release Notes:                                                                         │
│ ═════════════                                                                          │
│                                                                                        │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and     │
│ damage to a company's reputation.                                                      │
│                                                                                        │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   
       
  CryptoJob (Twitter) twitter.com/CryptozJob
     
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2023                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php

POST parameter 'hour_from' is vulnerable to SQLI

POST parameter 'minutes_to' is vulnerable to SQLI

date_from=27.01.2023&hour_from=[INJECT-HERE]&minutes_from=00&date_to=28.01.2023&hour_to=09&minutes_to=[INJECT-HERE]&pickup_id=4&same_location=1


POST parameter 'col_name' is vulnerable to SQLI

index.php?controller=pjFront&action=pjActionLoadCars&session_id=9j5lonhuljjtcpff7l1qjq5a85&type_id=all&transmission=&col_name=total_price&direction=asc


[-] Done

Source: packetstormsecurity.com