delpino73 Blue-Smiley-Organizer SQL Injection Vulnerability in 'datetime' Parameter

A SQL injection vulnerability has been identified in Blue-Smiley-Organizer version 1.32. The issue resides in the 'datetime' parameter, allowing unauthenticated attackers to manipulate database queries. Exploitation can lead to the extraction of sensitive data using boolean-based blind and time-based blind techniques, or the injection of files into the server via INTO OUTFILE statements.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to extract sensitive data or execute arbitrary commands on the server by writing a PHP shell through the SQL injection.

Reproduction

The vulnerability can be reproduced by sending a POST request to the application with a crafted 'datetime' parameter. The injection can be verified by using payloads that exploit boolean-based blind or time-based blind SQL injection techniques. Additionally, the vulnerability can be exploited to write files to the server using INTO OUTFILE statements.