CoryApp Cory JobSearch suffers from a remote SQL injection vulnerability.
e2cbbfcb6107f466b9c88014936f7d4ece59c46ccbf85de5cf1ff6afb627a8db
# Exploit Title: CoryApp (Cory JobSearch) MySQL Injection Vulnerability
# Google Dork: allintext: "Powered by CoryApp.com"
# Date: 04,March 02,2014
# Exploit Author: Slotleet
# Vendor Homepage: http://coryapp.com
# Software Link:
http://coryapp.com/download/?file=9e033e1dda12cf705b64d91342ea7f3df6cfc49f
(u have to register)
# Version: V1.0
# Tested on: Win,Linux
==========================
Vulnerability Description
==========================
The Cory JobSearch is prone to Get MySQL Injection Vulnerabilities
==========================
PoC-Exploit
==========================
// GET MySQL Injection with "cid" Parameter in /adminCP/city.php
1: <?php
2: require_once "../include/function.php";
3: require_once "../include/config.php";
4: echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
5: $sql = "select Id, ".$lang."State as LState from
".$prefix."state_province where CountryId = ".$_GET['cid'];
6: Connect_Database();
7: $query = mysql_query($sql);
8: if($query && mysql_num_rows($query) > 0)
9: {
10: if(isset($_GET['s']) && intval($_GET['s'])==1)
11: echo '<option value="0">- - Any - -</option>';
12: while($row=mysql_fetch_array($query))
13: {
14: echo '<option value="'.$row['Id'].'">'.$row['LState'].'</option>';
15: }
16: }
17: else echo '<option value="0">No data</option>';
18: Close_Connect();
19: ?>
In line 5 coder failed to secure the "cid" Parameter Against (MySQL Injection)
[~31337~] http://ph33r/research/coryapps/jobsearch/admincp/city.php?cid=[MySQL
Injection]
The "cid" GET MySQL injection will be executed to the MySQL Server in browser
==========================
Solution
==========================
Not Available.
==========================
Credits
==========================
Vulnerabilities found and advisory written by Slotleet.