# Exploit Title: CoryApp (Cory JobSearch) MySQL Injection Vulnerability
# Google Dork: allintext: "Powered by CoryApp.com"
# Date: 04,March 02,2014
# Exploit Author: Slotleet
# Vendor Homepage: http://coryapp.com
# Software Link:
http://coryapp.com/download/?file=9e033e1dda12cf705b64d91342ea7f3df6cfc49f
(u have to register)
# Version: V1.0
# Tested on: Win,Linux

==========================
Vulnerability Description
==========================

The Cory JobSearch is prone to Get MySQL Injection Vulnerabilities

==========================
PoC-Exploit
==========================

// GET MySQL Injection with "cid" Parameter in /adminCP/city.php

1: <?php
2: require_once "../include/function.php";
3: require_once "../include/config.php";
4: echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
5: $sql = "select Id, ".$lang."State as LState from
".$prefix."state_province where CountryId = ".$_GET['cid'];
6: Connect_Database();
7: $query = mysql_query($sql);
8: if($query && mysql_num_rows($query) > 0)
9:   {
10:   if(isset($_GET['s']) && intval($_GET['s'])==1)
11:    echo '<option value="0">- - Any - -</option>';
12:  while($row=mysql_fetch_array($query))
13:    {
14:    echo '<option value="'.$row['Id'].'">'.$row['LState'].'</option>';
15:    }
16:   }
17: else echo '<option value="0">No data</option>';
18: Close_Connect();
19: ?>

In line 5 coder failed to secure the "cid" Parameter Against (MySQL Injection)

[~31337~] http://ph33r/research/coryapps/jobsearch/admincp/city.php?cid=[MySQL
Injection]

The "cid" GET MySQL injection will be executed to the MySQL Server in browser

==========================
Solution
==========================

Not Available.

==========================
Credits
==========================

Vulnerabilities found and advisory written by Slotleet.