Railway Reservation System v1.0 - SQLi
Summary
| Name | Railway Reservation System v1.0 - Multiple Unauthenticated SQL Injections (SQLi) |
| Code name | Barenboim |
| Product | Railway Reservation System |
| Vendor | Projectworlds Pvt. Limited |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-12-06 |
Vulnerabilities
| Kind | Unauthenticated SQL Injections (SQLi) |
| Rule | 146. SQL Injection |
| Remote | Yes |
| CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3 Base Score | 9.8 |
| Exploit available | Yes |
| CVE ID(s) | CVE-2023-48685, CVE-2023-48687, CVE-2023-48689 |
Description
Railway Reservation System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.
Vulnerabilities
CVE-2023-48685
The 'psd' parameter of the login.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$uname=$_POST['user'];
$pass=$_POST['psd'];
require('firstimport.php');
$tbl_name="users"; // Table name
mysqli_select_db($conn,"$db_name")or die("cannot select DB");
$sql="SELECT * FROM $tbl_name WHERE f_name='$uname' and password='$pass'";
echo "$sql";
$result=mysqli_query($conn,$sql) or trigger_error(mysql_error.$sql);
CVE-2023-48687
The 'from' parameter of the reservation.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$tostn = $_POST['to']; $fromstn = $_POST['from']; $doj = $_POST['date']; $from=$_POST['from']; $to=$_POST['to']; $quota=$_POST['quota']; $from=strtoupper($from); $tostn=strtoupper($tostn); $fromstn=strtoupper($fromstn); $to=strtoupper($to); $day=date("D",strtotime("".$doj)); //echo $day."</br>";
$sql="SELECT * FROM $tbl_name WHERE (Ori='$from' or st1='$from' or st2='$from' or st3='$from' or st4='$from' or st5='$from') and (st1='$to' or st2='$to' or st3='$to' or st4='$to' or st5='$to' or Dest='$to') and ($day='Y')";
$result=mysqli_query($conn,$sql);
CVE-2023-48689
The 'byname' parameter of the train.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
if(isset($_POST['byname']) && ($_POST['bynum']==""))
{
$name1=$_POST['byname'];
$k=2;
$name1=strtoupper($name1);
$tbl_name="train_list";
$sql="SELECT * FROM $tbl_name WHERE Number='$name1' or Name='$name1' ";
$result=mysqli_query($conn,$sql);
}
else if(isset($_POST['byname']) && isset($_POST['bynum']))
{
$k=1;
$from=$_POST['byname'];
$to=$_POST['bynum'];
$from=strtoupper($from);
$to=strtoupper($to);
$sql="SELECT * FROM $tbl_name WHERE (Ori='$from' or st1='$from' or st2='$from' or st3='$from' or st4='$from' or st5='$from') and (st1='$to' or st2='$to' or st3='$to' or st4='$to' or st5='$to' or Dest='$to')";
$result=mysqli_query($conn,$sql);
}
Our security policy
We have reserved the IDs CVE-2023-48685, CVE-2023-48687 and CVE-2023-48689 to refer to these issues from now on.
System Information
- Version: Railway Reservation System v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://projectworlds.in/
Timeline
2023-11-17
Vulnerability discovered.
2023-11-17
Vendor contacted.
2023-12-06
Public Disclosure.
