Skip to content

Instantly share code, notes, and snippets.

View stasinopoulos's full-sized avatar
💉
I write code that injects code

Anastasios Stasinopoulos stasinopoulos

💉
I write code that injects code
View GitHub Profile
It was identified that the blog module in Kentico CMS 5.5 R2 (build 5.5.3996) is vulnerable to SQL injection attacks via “tagname” parameter, since user-controllable data is incorporated into database SQL queries in an unsafe manner.
This vulnerability can be leveraged by a potential attacker in order to interact with the back-end database and access/modify/delete stored data, interfere with application logic, escalate his privileges within the database and/or potentially take control of the database server.
The vulnerability was exploited using the sqlmap tool:
* Sample url: https://target.com/blog?tagname=test&groupid=1
* Vulnerable parameter: tagname
* Type: time-based blind sql injection
* Sample payload: tagname=test'+(SELECT CHAR(118)+CHAR(103)+CHAR(85)+CHAR(89) WHERE 1718=1718 AND 6176=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7))+'&groupid=1
@stasinopoulos
stasinopoulos / ping_blind.aspx
Created September 6, 2017 05:27
Simple ASPX application (vulnerable to blind OS command injections)
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="C#" runat="server">
string ExcuteCmd(string arg){
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c ping -n 2 " + arg;
psi.RedirectStandardOutput = true;
@stasinopoulos
stasinopoulos / ping.aspx
Created April 14, 2017 13:14
Simple ASPX application (vulnerable to OS command injections)
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e){
}
string ExcuteCmd(string arg){
ProcessStartInfo psi = new ProcessStartInfo();
@stasinopoulos
stasinopoulos / cmd.jsp
Created April 14, 2017 07:09
Simple JSP application (vulnerable to OS command injections)
<FORM METHOD=GET ACTION='cmd.jsp'>
<INPUT name='addr' type=text>
<INPUT type=submit value='Submit!'>
</FORM>
<%@ page import="java.io.*" %>
<%
String addr = request.getParameter("addr");
String[] ping = {"/bin/sh", "-c", "ping -c2 " + addr};
String output = "";