MySQL Squid Access Report 2.1.4 – SQL Injection / Cross-Site Scripting

• Exploit Database
• 16 阅读

• 作者： Keerati T.
  日期： 2018-04-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44483/

• # Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
  # Date: 14-13-2018
  # Software Link: https://sourceforge.net/projects/mysar/
  # Exploit Author: Keerati T.
  # Version: 2.1.4
  # Tested on: Linux
  
  1. Description
  SQL injection and Cross site script vulnerabilities are found on ALL
  parameter of MySAR.
  
  2. Proof of Concept
  FOR EXAMPLE
  - SQL injection
  http://server/mysar/index.php?a=IPSummary&date=[SQLi]
  -XSS
  http://server/mysar/index.php?a=IPSummary&date=2018-04-14
  "><script>alert(1)</script>
  
  3. Timeline
  8-3-2018 - Report on their Github. (
  https://github.com/coffnix/mysar-ng/issues/12)
  -- 1 month later, no any response from vendor. --
  14-4-2018 - Public.